QA Report - Githubissues

code423n4 commented 2 years ago

N-01: Use a more recent version of solidity Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value Use a solidity version of at least 0.8.12 to get string.concat() instead of abi.encodePacked(,) Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions

Instances include: https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/DataTypes.sol#L2 https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/ICauldron.sol#L2 all contracts in https://github.com/yieldprotocol/vault-interfaces/tree/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src all contracts in https://github.com/yieldprotocol/yield-utils-v2/tree/33b4f19bffa871d19e3cef9bfe43b8f5c3eef068/contracts

N-02 Lock pragmas to specific compiler version Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively. see https://swcregistry.io/docs/SWC-103

Instances include: https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/DataTypes.sol#L2 https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/ICauldron.sol#L2 all contracts in https://github.com/yieldprotocol/vault-interfaces/tree/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src all contracts in https://github.com/yieldprotocol/yield-utils-v2/tree/33b4f19bffa871d19e3cef9bfe43b8f5c3eef068/contracts

N-03 Event is missing indexed fields Each event should use three indexed fields if there are three or more fields

Instances include: https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L33-L37 https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L43-L48 https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L52-L55

N-04 File is missing NatSpec

N-05 NatSpec is incomplete

Instances include: https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/IJoin.sol#L6-L13 https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/IOracle.sol#L10-L19 https://github.com/yieldprotocol/vault-interfaces/blob/cf12f06c3ac9a64e2ebfd4989b042f376ab72e48/src/IWitch.sol#L9-L17 https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L175

N-06 require()/revert() statements should have descriptive reason strings

N-07 Constants should be defined rather than using magic numbers

N-08 Use of sensitive/non-inclusive terms

Instances include: https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L575

alcueca commented 2 years ago

None useful

PierrickGT commented 2 years ago

Labelled as invalid cause the warden didn't provide any useful suggestions.

code-423n4 / 2022-07-yield-findings

QA Report #172