robrobbins
commented
2 years ago approve 0 first what? This is likely a non issue, but adding a maybe just in case
we don't use any open zeppelin.
dupes, wontfixes.
Open code423n4 opened 2 years ago
robrobbins
commented
2 years ago approve 0 first what? This is likely a non issue, but adding a maybe just in case
we don't use any open zeppelin.
dupes, wontfixes.
Must approve 0 first
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
Code instance:
approve without approving 0 first Swivel.sol, 561, Safe.approve(uToken, c[i], max);
safeApprove of openZeppelin is deprecated
You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.
Code instance:
Two arrays length mismatch
The functions below fail to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior. Consider making this a medium risk please.
Code instances
Div by 0
Division by 0 can lead to accidentally revert, (An example of a similar issue - https://github.com/code-423n4/2021-10-defiprotocol-findings/issues/84)
Code instances:
approve return value is ignored
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value. We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens. The list of occurrences in format (solidity file, line number, actual line)
Code instance:
Swivel.sol, 561, Safe.approve(uToken, c[i], max);
Not verified input
external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Not verified owner
Code instance:
Named return issue
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.
Code instances:
Two Steps Verification before Transferring Ownership
The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105
Code instances:
Open TODOs
Open TODOs can hint at programming or architectural errors that still need to be fixed. These files has open TODOs:
Code instances:
Open TODO in Swivel.sol line 32 : address public aaveAddr; // TODO immutable?
Open TODO in Swivel.sol line 707 : if (p == uint8(Protocols.Compound)) { // TODO is Rari a drop in here?
Open TODO in Swivel.sol line 285 : // TODO assign amount or keep the ADD?
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances: