The code was adjusted per the issue's recommendation, ensuring it conforms to the Checks-Effects-Interactions (CEI) pattern and no longer permits the described attack to occur. The _updateMinCoupon and burn calls can be relocated outside the if-else clause to optimize the codebase as an additional step.
Issue #23: KUMAFeeCollector may emit wrong FeeReleased event
This exhibit was remediated as part of the effort for M-02.
L-02: Not Remediated
This finding remains unaddressed as the KUMASwap::setFees function has not been updated as advised.
L-03: Not Remediated
This finding remains unaddressed as the KUMABondToken::issueBond function has not been updated as advised.
L-04: Not Remediated
This finding remains unaddressed as the KUMASwap::setDeprecationStableCoin function has not been updated as advised.
L-05: Alleviated
A direct check of previousEpochTimestamp backshifting was introduced at the sponsor's discretion as the original recommended course of action would cause accrual loss. As such, we consider this exhibit alleviated.
Q&A #19: Partially Alleviated
KBC-01L: Not Remediated
This finding remains unaddressed as the KBCToken::constructor has not been updated as advised.
KIB-01L: Not Remediated
This finding remains unaddressed as the KIBToken::constructor has not been updated as advised.
KIB-02L: Alleviated
The KIBToken::initialize function was properly updated to sanitize its initial epochLength as advised.
KIB-03L: Not Remediated
The epoch inclusivity inconsistencies remain in the codebase.
KIB-04L: Alleviated
The MAX_YIELD variable was instead removed from the codebase, rendering this exhibit alleviated.
KAP-01L: Not Remediated
This finding remains unaddressed as the KUMAAddressProvider::constructor has not been updated as advised.
KFC-01L: Not Remediated
This finding remains unaddressed as the KUMAFeeCollector::constructor has not been updated as advised.
Q&A Mitigation Review: Fully Alleviated
Issue #15: Re-Entrant Bond Purchase Flow
The code was adjusted per the issue's recommendation, ensuring it conforms to the Checks-Effects-Interactions (CEI) pattern and no longer permits the described attack to occur. The
_updateMinCoupon
andburn
calls can be relocated outside theif-else
clause to optimize the codebase as an additional step.Issue #23: KUMAFeeCollector may emit wrong FeeReleased event
The
_release
of tokens now occurs solely when there is a non-zero amount of_payees
in the contract, alleviating this exhibit. A test case was also included to validate the behaviour of a release with no payees.Q&A #7: Partially Alleviated
L-01: Remediated
This exhibit was remediated as part of the effort for M-02.
L-02: Not Remediated
This finding remains unaddressed as the
KUMASwap::setFees
function has not been updated as advised.L-03: Not Remediated
This finding remains unaddressed as the
KUMABondToken::issueBond
function has not been updated as advised.L-04: Not Remediated
This finding remains unaddressed as the
KUMASwap::setDeprecationStableCoin
function has not been updated as advised.L-05: Alleviated
A direct check of
previousEpochTimestamp
backshifting was introduced at the sponsor's discretion as the original recommended course of action would cause accrual loss. As such, we consider this exhibit alleviated.Q&A #19: Partially Alleviated
KBC-01L: Not Remediated
This finding remains unaddressed as the
KBCToken::constructor
has not been updated as advised.KIB-01L: Not Remediated
This finding remains unaddressed as the
KIBToken::constructor
has not been updated as advised.KIB-02L: Alleviated
The
KIBToken::initialize
function was properly updated to sanitize its initialepochLength
as advised.KIB-03L: Not Remediated
The epoch inclusivity inconsistencies remain in the codebase.
KIB-04L: Alleviated
The
MAX_YIELD
variable was instead removed from the codebase, rendering this exhibit alleviated.KAP-01L: Not Remediated
This finding remains unaddressed as the
KUMAAddressProvider::constructor
has not been updated as advised.KFC-01L: Not Remediated
This finding remains unaddressed as the
KUMAFeeCollector::constructor
has not been updated as advised.KFC-02L: Alleviated
The
_release
of tokens now occurs solely when there is a non-zero amount of_payees
in the contract, alleviating this exhibit. A test case was also included to validate the behaviour of a release with no payees.KFC-03L: Alleviated
This exhibit has been alleviated as part of the efforts for M-02.
KSP-01L: Not Remediated
This finding remains unaddressed as the
KUMASwap::setFees
function has not been updated as advised.KSP-02L: Not Remediated
This finding remains unaddressed as the
KUMASwap::_calculateFees
function has not been updated as advised.KSP-03L: Not Remediated
This finding remains unaddressed as the
KUMASwap::constructor
has not been updated as advised.KSP-04L: Not Remediated
This finding remains unaddressed as the
KUMASwap::constructor
has not been updated as advised.BTL-01L: Alleviated
This exhibit has been alleviated as part of the efforts for M-01.
MAR-01L: Not Remediated
This finding remains unaddressed as the
MCAGAggregator::setMaxAnswer
function has not been updated as advised.WRM-01L: Not Remediated
The
WadRayMath
contract has not been updated per the exhibit's recommendation.