HardlyDifficult
commented
2 years ago Open code423n4 opened 2 years ago
HardlyDifficult
commented
2 years ago HardlyDifficult
commented
2 years ago HardlyDifficult
commented
2 years ago The primary report has lots of good NC improvements
INibblVaultFactory.solFractionaliseevent parameters are not declared asindexedSome events are missing the
indexedkeyword on addresses. Using theindexedparameters allow external monitoring tool to filter those logs and monitor events in a better way.Fractionalisecan declareassetAddressandproxyVaultasindexedConsider declaring those event parameters as
indexedto better monitor/filter those events.NibblVaultFactoryData.solNatspec documentation partially added or missing at all
All the state variables declared inside
NibblVaultFactoryDatacontract are missing natspec documentation.Natspec documentation are useful for internal developers that need to work on the project, external developers that need to integrate with the project, auditors that have to review it but also for end users given that Etherscan has officially integrated the support for it directly on their site.
Consider adding the missing natspec documentation.
Basket.solNatspec documentation partially added or missing at all
Some functions are missing at all the natspec documentation or have partially implemented it.
Natspec documentation are useful for internal developers that need to work on the project, external developers that have to integrate with the project, auditors that have to review it but also for end users given that Etherscan has officially integrated the support for it directly on their site.
The following functions are missing at all the natspec documentation or have partially implemented it:
initialisemiss all natspecwithdrawERC721missing natspec for @param_towithdrawMultipleERC721missing all natspecwithdrawERC721Unsafemissing natspec for @param_towithdrawERC1155missing natspec for @param_towithdrawMultipleERC1155miss all natspecwithdrawETHmissing natspec for @param_towithdrawERC20missing natspec for @param_tokenwithdrawMultipleERC20missing all natspeconERC721Receivedmissing all natspeconERC1155Receivedmissing all natspeconERC1155BatchReceivedmissing all natspecConsider adding the missing natspec documentation.
Basket contract has misspelled the
initializeinitialization functionThe "standard" and official name for the initialization method is
initialize(implemented by correctly byNibblVault).The current name used by the
Basketcontract isinitialise. Consider renaming the initialization function toinitialize.withdrawETHis not checking the amount of ETH to withdrawThe current implementation of
withdrawETHis not checking the amount of ETH present in the Basket contract. Without any check, it allows the Basket owner / spender to withdraw0 ETHand waste gas by doing so.Consider implementing a check that performs the operation only when
address(this).balance > 0withdrawERC20,withdrawMultipleERC20,withdrawERC1155,withdrawMultipleERC1155are not checking the amount of tokens to withdrawSimilar to the previous problem for
withdrawETH, those functions are not checking if the contract has at some amount to transfer.The transfer should happen only if the amount of the token is
> 0to not waste gas.Consider implementing a check that performs the operation only when
TOKEN_INTERFACE(_tokens[i]).balanceOf(address(this) > 0where theTOKEN_INTERFACEisIERC20orIERC1155depending on the function called.Twav.solNatspec documentation partially added or missing at all
Some functions are missing at all the natspec documentation or have partially implemented it.
Natspec documentation are useful for internal developers that need to work on the project, external developers that have to integrate with the project, auditors that have to review it but also for end users given that Etherscan has officially integrated the support for it directly on their site.
The following functions are missing at all the natspec documentation or have partially implemented it:
getTwavObservationsmiss all natspecConsider adding the missing natspec documentation.
twavObservationsand all_getTwavcomments could be improvedCurrently, the code has this natspec/dev comment
twavObservations→//TWAV of last 4 Blocks_getTwavInterpreting from the comment, it seems that prices in that array are from the last 4 consecutive blocks. In reality, those are prices from different blocks (the TWAV is updated only when
_blockTimestamp != lastBlockTimeStampand buyout is not active or when buyout process is initialized) but not consecutive because the functions that trigger the update could be called in blocks with a block number not consecutive.Recommendation: update the comment, clarifying that those prices could not be from consecutive blocks.
NibblVault.sol_chargeFeeshould use_feeAdminand not_adminFeeAmtto decide ifsafeTransferETHshould be called_adminFeeAmtis the admin fee % and_feeAdminis the amount of fee to be sent to the admin calculated from_adminFeeAmt.The
_feeAdmincould be 0 (rounding) even if the_adminFeeAmtis greater than 0.Recommendation: use
_feeAdmininstead of_adminFeeAmtin_chargeFeeSecondaryCurveshould use_feeAdminand not_adminFeeAmtto decide ifsafeTransferETHshould be called_adminFeeAmtis the admin fee % and_feeAdminis the amount of fee to be sent to the admin calculated from_adminFeeAmt.The
_feeAdmincould be 0 (rounding) even if the_adminFeeAmtis greater than 0.Recommendation: use
_feeAdmininstead of_adminFeeAmtinNatspec documentation partially added or missing at all
Some functions are missing at all the natspec documentation or have partially implemented it.
Natspec documentation are useful for internal developers that need to work on the project, external developers that have to integrate with the project, auditors that have to review it but also for end users given that Etherscan has officially integrated the support for it directly on their site.
The following functions are missing at all the natspec documentation or have partially implemented it:
getMaxSecondaryCurveBalancemissing natspec for @return_buyPrimaryCurvemissing natspec for @param_totalSupply_buySecondaryCurvemissing natspec for @param_totalSupplybuymissing natspec for @return_sellPrimaryCurvemissing natspec for @param_totalSupplysellmissing natspec for @returninitiateBuyoutmissing natspec for @returnredeemmissing natspec for @return and @param_toredeemCuratorFeemissing natspec for @returnpermitmissing all natspecsafeTransferETHmissing all natspeconERC721Receivedmissing all natspeconERC1155Receivedmissing all natspeconERC1155BatchReceivedmissing all natspecConsider adding the missing natspec documentation.
NibblVaultFactory.solNatspec documentation partially added or missing at all
Some functions are missing at all the natspec documentation or have partially implemented it.
Natspec documentation are useful for internal developers that need to work on the project, external developers that have to integrate with the project, auditors that have to review it but also for end users given that Etherscan has officially integrated the support for it directly on their site.
The following functions are missing at all the natspec documentation or have partially implemented it:
createBasketmissing all natspecgetBasketAddressmissing all natspecConsider adding the missing natspec documentation.
constructoris not checking user inputThe
constructoris not checking the user input value for the following inputs:_vaultImplementationshould be!= address(0)_feeToshould be!= address(0)_basketImplementationshould be!= address(0)Consider adding checks on those inputs.
proposeNewBasketImplementationmiss event emission and input value checkThe
proposeNewBasketImplementationfunction is missing a check on_newBasketImplementationthat should be!= address(0)and is not emitting an event when the value has changed.updateBasketImplementationmiss event emissionThe
updateBasketImplementationfunction should emit an event when the value has changed.withdrawAdminFeemiss event emission and check on ETH amountThe
withdrawAdminFeefunction should emit an event when the value has changed. The low levelcallshould be made only whenaddress(this).balanceto not waste gas.proposeNewAdminFeeAddressmiss event emission and input value checkThe
proposeNewAdminFeeAddressfunction is missing a check on_newFeeAddressthat should be!= address(0)and is not emitting an event when the value has changed.updateNewAdminFeeAddressmiss event emissionThe
updateNewAdminFeeAddressfunction should emit an event when the value has changed.proposeNewAdminFeemiss event emissionThe
proposeNewAdminFeefunction should emit an event when the value has changed.updateNewAdminFeemiss event emissionThe
updateNewAdminFeefunction should emit an event when the value has changed.proposeNewVaultImplementationmiss event emission and input value checkThe
proposeNewVaultImplementationfunction is missing a check on_newFeeAddressthat should be!= address(0)and is not emitting an event when the value has changed.updateVaultImplementationmiss event emissionThe
updateVaultImplementationfunction should emit an event when the value has changed.BancorFormula.solThe contract is using
SafeMathbut the solidity compiler is0.8.10I couldn't find the official link for the original contract, but seeing the usage of
SafeMathI would assume that theBancorFormulacontract was created before Solidity0.8.10(version used by the project).With Solidity
0.8.xthey implementedThis means that all the operations inside the contract that do not use the
SafeMathfunctions will revert in case of an underflow/overflow instead of under/overflowing like they would have done before Solidity0.8.Recommendation: be sure to check all the math operations of the contract.