search

code-423n4 / 2023-03-kuma-mitigation-contest-findings

0 stars 0 forks source link

Mitigation Confirmed for QA #23

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Q&A Mitigation Review: Fully Alleviated

Issue #15: Re-Entrant Bond Purchase Flow

The code was adjusted per the issue's recommendation, ensuring it conforms to the Checks-Effects-Interactions (CEI) pattern and no longer permits the described attack to occur. The _updateMinCoupon and burn calls can be relocated outside the if-else clause to optimize the codebase as an additional step.

Issue #23: KUMAFeeCollector may emit wrong FeeReleased event

The _release of tokens now occurs solely when there is a non-zero amount of _payees in the contract, alleviating this exhibit. A test case was also included to validate the behaviour of a release with no payees.

Q&A #7: Partially Alleviated

L-01: Remediated

This exhibit was remediated as part of the effort for M-02.

L-02: Not Remediated

This finding remains unaddressed as the KUMASwap::setFees function has not been updated as advised.

L-03: Not Remediated

This finding remains unaddressed as the KUMABondToken::issueBond function has not been updated as advised.

L-04: Not Remediated

This finding remains unaddressed as the KUMASwap::setDeprecationStableCoin function has not been updated as advised.

L-05: Alleviated

A direct check of previousEpochTimestamp backshifting was introduced at the sponsor's discretion as the original recommended course of action would cause accrual loss. As such, we consider this exhibit alleviated.

Q&A #19: Partially Alleviated

KBC-01L: Not Remediated

This finding remains unaddressed as the KBCToken::constructor has not been updated as advised.

KIB-01L: Not Remediated

This finding remains unaddressed as the KIBToken::constructor has not been updated as advised.

KIB-02L: Alleviated

The KIBToken::initialize function was properly updated to sanitize its initial epochLength as advised.

KIB-03L: Not Remediated

The epoch inclusivity inconsistencies remain in the codebase.

KIB-04L: Alleviated

The MAX_YIELD variable was instead removed from the codebase, rendering this exhibit alleviated.

KAP-01L: Not Remediated

This finding remains unaddressed as the KUMAAddressProvider::constructor has not been updated as advised.

KFC-01L: Not Remediated

This finding remains unaddressed as the KUMAFeeCollector::constructor has not been updated as advised.

KFC-02L: Alleviated

The _release of tokens now occurs solely when there is a non-zero amount of _payees in the contract, alleviating this exhibit. A test case was also included to validate the behaviour of a release with no payees.

KFC-03L: Alleviated

This exhibit has been alleviated as part of the efforts for M-02.

KSP-01L: Not Remediated

This finding remains unaddressed as the KUMASwap::setFees function has not been updated as advised.

KSP-02L: Not Remediated

This finding remains unaddressed as the KUMASwap::_calculateFees function has not been updated as advised.

KSP-03L: Not Remediated

This finding remains unaddressed as the KUMASwap::constructor has not been updated as advised.

KSP-04L: Not Remediated

This finding remains unaddressed as the KUMASwap::constructor has not been updated as advised.

BTL-01L: Alleviated

This exhibit has been alleviated as part of the efforts for M-01.

MAR-01L: Not Remediated

This finding remains unaddressed as the MCAGAggregator::setMaxAnswer function has not been updated as advised.

WRM-01L: Not Remediated

The WadRayMath contract has not been updated per the exhibit's recommendation.

c4-judge commented 1 year ago

GalloDaSballo marked the issue as satisfactory