C4-001: Missing events for only functions that change critical parameters - Non Critical
C4-002 : Critical changes should use two-step procedure - Non Critical
C4-003 : Pragma Version - Non Critical
C4-004 : Missing zero-address check in the setter functions and initiliazers - Low
C4-005 : Bump OZ packages to ^4.5.0. - Non critical
ISSUES
C4-001 : Missing events for only functions that change critical parameters
Impact - Non critical
The afunctions that change critical parameters should emit events. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
Missing events and timelocks do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.
C4-003 : # Pragma Version
Impact
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Consider adding zero-address checks in the discussed constructors:
require(newAddr != address(0));.
C4-005: Bump OZ packages to ^4.5.0.
Impact - NON CRITICAL
Line Reference
Description
I can verify that the installed version is 4.2.0 by executing the following commands:
yarn install
yarn list @openzeppelin/contracts
Recommended Mitigation Steps
Update the versions of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to be the latest in package.json. I also recommend double checking the versions of other dependencies as a precaution, as they may include important bug fixes.
ISSUE LIST
C4-001: Missing events for only functions that change critical parameters - Non Critical
C4-002 : Critical changes should use two-step procedure - Non Critical
C4-003 : Pragma Version - Non Critical
C4-004 : Missing zero-address check in the setter functions and initiliazers - Low
C4-005 : Bump OZ packages to ^4.5.0. - Non critical
ISSUES
C4-001 : Missing events for only functions that change critical parameters
Impact - Non critical
The afunctions that change critical parameters should emit events. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
Missing events and timelocks do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
Proof of Concept
See similar High-severity H03 finding OpenZeppelin’s Audit of Audius (https://blog.openzeppelin.com/audius-contracts-audit/#high) and Medium-severity M01 finding OpenZeppelin’s Audit of UMA Phase 4 (https://blog.openzeppelin.com/uma-audit-phase-4/)
Tools Used
None
Recommended Mitigation Steps
Add events to all functions that change critical parameters.
C4-002 : Critical changes should use two-step procedure
Impact - NON CRITICAL
The critical procedures should be two step process.
Proof of Concept
Tools Used
Code Review
Recommended Mitigation Steps
Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.
C4-003 : # Pragma Version
Impact
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Proof of Concept
https://swcregistry.io/docs/SWC-103
Tools Used
Manual code review
Recommended Mitigation Steps
Lock the pragma version: delete pragma solidity 0.8.10 in favor of pragma solidity 0.8.10.
C4-004 : # Missing zero-address check in the setter functions and initiliazers
Impact
Missing checks for zero-addresses may lead to infunctional protocol, if the variable addresses are updated incorrectly.
Proof of Concept
Tools Used
Code Review
Recommended Mitigation Steps
Consider adding zero-address checks in the discussed constructors: require(newAddr != address(0));.
C4-005: Bump OZ packages to ^4.5.0.
Impact - NON CRITICAL
Line Reference
Description
I can verify that the installed version is 4.2.0 by executing the following commands:
Recommended Mitigation Steps
Update the versions of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to be the latest in package.json. I also recommend double checking the versions of other dependencies as a precaution, as they may include important bug fixes.