0xean
commented
2 years ago note to self: Warden submitted several, extremely high quality reports listed above as dupes that need to be accounted for awarding QA.
Open code423n4 opened 2 years ago
0xean
commented
2 years ago note to self: Warden submitted several, extremely high quality reports listed above as dupes that need to be accounted for awarding QA.
Missing Time locks
When critical parameters of systems need to be changed, it is required to broadcast the change via event emission and recommended to enforce the changes after a time-delay. This is to allow system users to be aware of such critical changes and give them an opportunity to exit or adjust their engagement with the system accordingly. None of the onlyOwner functions that change critical protocol addresses/parameters have a timelock for a time-delayed change to alert: (1) users and give them a chance to engage/exit protocol if they are not agreeable to the changes (2) team in case of compromised owner(s) and give them a chance to perform incident response.
Instances number of this issue:
Suggestion: Users may be surprised when critical parameters are changed. Furthermore, it can erode users' trust since they can’t be sure the protocol rules won’t be changed later on. Compromised owner keys may be used to change protocol addresses/parameters to benefit attackers. Without a time-delay, authorized owners have no time for any planned incident response. (May be medium since owner can change critical parameters at anytime that can affect the users poorly).
Missing Zero-address Validation
Description: Lack of zero-address validation on address parameters may lead to transaction reverts, waste gas, require resubmission of transactions and may even force contract redeployments in certain cases within the protocol.
Suggestion: Consider adding explicit zero-address validation on input parameters of address type.
Instances number of this issue:
Code Structure Deviates From Best-Practice
Description: The best-practice layout for a contract should follow the following order: state variables, events, modifiers, constructor and functions. Function ordering helps readers identify which functions they can call and find constructor and fallback functions easier. Functions should be grouped according to their visibility and ordered as: constructor, receive function (if exists), fallback function (if exists), external, public, internal, private. Some constructs deviate from this recommended best-practice: Modifiers are in the middle of contracts. External/public functions are mixed with internal/private ones. Few events are declared in contracts while most others are in corresponding interfaces.
Suggestion: Consider adopting recommended best-practice for code structure and layout.
src/core/contracts/AlgebraFactory.sol
Missing or Incomplete NatSpec
Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.
Suggestion: Consider adding in full NatSpec comments for all functions to have complete code documentation for future use.
src/core/contracts/AlgebraFactory.sol src/core/contracts/AlgebraPool.sol