search

code-423n4 / 2022-07-swivel-findings

0 stars 1 forks source link

QA Report #189

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago
  1. Tautology or contradiction The following expressions below are tautology;

As seen IYearn.deposit() returns uint256 hence IYearn(c).deposit(a) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L712

IErc4626.deposit() returns uint256 , hence IErc4626(c).deposit(a, address(this)) >= 0 will always be true. https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L727

IYearn.withdraw() returns uint256 hence IYearn(c).withdraw(a) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L745

IAave.withdraw() returns uint256 hence IAave(aaveAddr).withdraw(u, a, address(this)) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L749

IErc4626.withdraw() returns uint256 , hence IErc4626(c).withdraw(a, address(this), address(this)) >= 0 will always be true. https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L757

  1. Missing events and emit The following functions are missing emits and/or events for their operations which could be useful in third-party monitoring. Swivel.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L428-L432

  2. Missing zero address check The following functions have missing zero address check for the corresponding parameter

Swivel.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L428-L432 MarketPlace.constructor() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L38-L40 MarketPlace.setSwivel() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L45 MarketPlace.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L53

robrobbins commented 2 years ago
  1. took a look. it's not tautology or contradiction. it's simply casting any returned uint as a truthy boolean, which is what we want. this normalizes those with the compound (==0) and Euler (void method, hard coded true). this is all in the "revert or return true" pattern a la ERC20 txs.
  2. discussed. no.
  3. no