Open code423n4 opened 2 years ago
The first two issues for NotionalTradeModule are incorrect.
The calculateAndEditDefaultPosition
function is part of the Position
library which is used for ISetToken
in the ModuleBase
dependency.
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/lib/Position.sol#L206
Also an event is emitted from the SetToken contract when a positions is changed. https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/SetToken.sol#L243
Findings for Notional x Index Coop C4 Contest
Type of Audit: Security Review Type of Project: DeFi Language: Solidity Methods: Manual review, automated test suite
Audit Scope
NotionalTradeModule
wfCashLogic
1. Contract
NotionalTradeModule.sol
[LOW] Use of non-existent function
calculateAndEditDefaultPosition
in_updateSetTokenPositions
functionFile: L664 L670 Description:
calculateAndEditDefaultPosition
function does not exist inISetToken.sol
interface. However, it is called in_updateSetTokenPositions
function. This might flaw the logic of other functions relying on this_updateSetTokenPositions
function.Recommendation: Consider adding
calculateAndEditDefaultPosition
as an external function inISetToken.sol
interface.[LOW] Missing event emission for
_updateSetTokenPositions
functionFile: L654 Description:
_updateSetTokenPositions
do not emit appropriate event as shown below:Recommendation: Consider creating and emitting appropriate event for
_updateSetTokenPositions
function[LOW] Use of Different Compiler Versions
File: L19 Description: Whereas the imported contracts use a higher compiler version,
NotionalTradeModule.sol
, use a far lesser compiler version which might introduce bugs that affect the contract system negativelyRecommendation: Consider using consistent compiler version
[LOW] Missing event emission for
setRedeemToUnderlying
functionFile: L294 Description: State-changing function
setRedeemToUnderLying
do not emit appropriate event as shown below:Recommendation: Consider creating and emitting appropriate event for
setRedeemToUnderLying
function[LOW] Use of OpenZeppelin's
SafeMath
arithmetic operations'sub
function in_updateSetTokenPositions
function without direct library import in theNotionalTradeModule.sol
contractFile: L677 L678 Description: Openzeppelin's
SafeMath
library'ssub
function is being used in_updateSetTokenPositions
function withoutSafeMath
library being directly imported and declared to be used inNotionalTradeModule.sol
contract thus making the contract vulnerable to overflow risks.Recommendation: Consider importing Openzeppelin's
SafeMath
library inNotionalTradeModule.sol
contract and using it thususing SafeMath for uint256;
so thatsetRedeemToUnderLying
function can utilize the library'ssub
function in order to mitigate overflow risks.[LOW] No input validation in
mintFCashPosition(...)
,redeemFCashPosition(...)
File(s):
index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol
Description: Missing input validation check for
mintFCashPosition
function's_currencyid
and_maturity
parameters as well asredeemFCashPosition
function's_receiveToken
and_sendToken
parameters. The code is shown below:Recommendation: Consider adding appropriate validation logic for
_currencyid
and_maturity
parameters ofmintFCashPosition
as well as_receiveToken
and_sendToken
parameters ofredeemFCashPosition
function.2. Contract
wfCashLogic.sol
[Low] Missing input validation in
mintViaUnderlying(...)
File(s):
(https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashLogic.sol#L27)
Description: The function
mintViaUnderlying(...)
does not validate the input parameterdepositAmountExternal
.Recommendation: Consider adding validation logic for
depositAmountExternal
parameter ofmintViaUnderlying
function3. Contract
wfCashERC4626.sol
[Low] Missing input validation in
redeem(...)
File(s):
(https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashERC4626.sol#L205)
Description: The function
redeem(...)
lacks validation logic for thereceiver
input parameter against address(0).Recommendation: Consider validating the input
receiver
parameter.[LOW] Inconsistent import of
ReentrancyGuard
libraryFile(s):
(https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashLogic.sol#L6)
Description: ReentrancyGaurd is not available in the path that the current import is assuming for the project.
Recommendation: Consider using consistent Openzeppelin version while importing contracts across all the files to mitigate such inconsistent imports