search

code-423n4 / 2022-07-axelar-findings

0 stars 0 forks source link

QA Report #200

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Summary

Low

  1. L-1. Missing zero address validation
  2. L-2. Local variable shadowing
  3. L-3. Unused return
  4. L-4. Use a most recent solidity version

    Non-Critical

  5. NC-1. Assembly usage
  6. NC-2. Conformance to Solidity naming conventions

Low

L-1. Missing zero address validation

Description

Detect missing zero address validation

Mitigation

Include check that the address is not zero

Lines in the code

constructor (ReceiverImplementation)

AxelarDepositService.sol#L18 AxelarDepositService.sol#L19

receiveAndSendToken (refundAddress.transfer)

ReceiverImplementation.sol#L17 ReceiverImplementation.sol#L23

receiveAndSendNative (refundAddress.transfer)

ReceiverImplementation.sol#L45 ReceiverImplementation.sol#L51

receiveAndUnwrapNative (refundAddress.transfer)

ReceiverImplementation.sol#L70 ReceiverImplementation.sol#L71 ReceiverImplementation.sol#L86

L-2. Local variable shadowing

Description

Detection of shadowing using local variables.

Mitigation

Rename the local variables that shadow another component.

Lines in the code

gateway

ReceiverImplementation.sol#12 DepositBase.sol#13 IDepositBase.sol#14

wrappedSymbol

ReceiverImplementation.sol#12 DepositBase.sol#13 IDepositBase.sol#14

L-3. Unused return

Description

There is return that are unusefull.

Mitigation

Remove unused return and include the rest code in else condition

Lines in the code

ReceiverImplementation.sol#L30 ReceiverImplementation.sol#L54

L-4. Use a most recent solidity version

Description

Actually the code use version 0.8.9

Mitigation

Update to use at least 0.8.10 to add more functionality like external calls skip contract existence checks if the external call has a return value

Non-Critical

NC-1. Assembly usage

Description

The use of assembly is error-prone and should be avoided.

Mitigation

Do not use evm assembly.

Lines in the code

DepositBase.sol#L54 DepositReceiver.sol#L17

NC-2. Conformance to Solidity naming conventions

Description

Solidity defines a naming convention that should be followed.

Mitigation

Follow the Solidity naming convention. Link

Lines in the code

AxelarGateway.sol#L447 AxelarGateway.sol#L45 AxelarGateway.sol#L46

GalloDaSballo commented 2 years ago

L-1. Missing zero address validation

L

L-2. Local variable shadowing

R

L-3. Unused return

Disagree, they return early in a specific case

L-4. Use a most recent solidity version

NC

NC-1. Assembly usage

Disagree, you have to prove your statements here

NC-2. Conformance to Solidity naming conventions

Please tell the sponsor what they can do better instead of linking the Style Guide without context

1L 1R 1NC