code423n4 commented 1 year ago

See the markdown file with the details of this report here.

GalloDaSballo commented 1 year ago

[01] Prevent storage variables to receive address(0)

L

[02] The guardian can send the DAO rewards to any address without a timelock

Invalid per Scope

[03] Fake balances can be created due to lack of ERC20 contract existence check

Invalid per Scope

[04] Add an event for parameter changes

NC

[05] Downcasting block.timestamp

L

[06] Missing storage gap for upgradeable contracts

Disputing for token as it's a child contract

[07] Avoid receiving stale values for setter functions that emit events

R

[08] Lack of checks-effects-interactions

L

[09] Missing tests

R

[10] Avoid using the optimizer if possible, due to it's potential security bugs which can affect the contracts in scope

Disputing without evidence (with evidence can even be a High Severity)

[11] Usage of ERC20 approve which is susceptible to race conditions

Invalid, the allowance and it's usage are atomical

[12] Open TODO

NC

[13] Replace assert with require or custom error

R

[14] Repeated validation statements

R

[15] Use named imports

NC

[16] Consistent use of address(0) identifier

NC

[17] Order of functions

NC

[18] Reuse existing computed values

R

[19] Usage of return named variables and explicit values

R

[20] Unused declaration

NC

[21] Missing NATSPEC

NC

[22] Fix typo

NC

[23] Consistent use of leading underscore for function arguments

NC

[24] Move revert statements to the top the of function when validating input parameters

R

[25] Add a limit for the maximum number of characters per line

NC