Open code423n4 opened 2 years ago
It's about wardens appreciation of our ownership architecture versus ours. We can imagine many other malicious scenarios, assuming that the Multisig/Timelock/OwnerProxy combination is not enough to prevent the protocol from being compromised.
https://github.com/code-423n4/2022-06-nested-findings/issues/84#issuecomment-1165712399
QA01 Uncapped Fees
There is nothing stopping a malicious owner changing both entryFees & exitFees to 100%. Recommend having an upper limit and using that instead of 10,000 in the 2 following require checks.
NestedFactory.sol#L161 NestedFactory.sol#L169
QA02 Incomplete Natspec
MixinOperatorResolver.sol#L50 - missing @return in natspec OwnableProxyDelegation.sol#L34 - missing @return address OwnableProxyDelegation.sol#L55 - missing @param newOwner BeefyZapBiswapLPVaultOperator.sol#L231 - missing @return mintedLpAmount BeefyZapBiswapLPVaultOperator.sol#L263 - missing @param reserveA, @param reserveB, @param router, @return swapAmount BeefyZapUniswapLPVaultOperator.sol#L231 - mising @return mintedLpAmount BeefyZapUniswapLPVaultOperator.sol#L262 - missing @param reserveA, @param reserveB, @param router, @return swapAmount