search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

QA Report #302

Closed c4-bot-6 closed 8 months ago

c4-bot-6 commented 8 months ago

See the markdown file with the details of this report here.

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as grade-c

gzeon-c4 commented 8 months ago

low quality / duplicate of bot report

thenua3bhai commented 7 months ago

Hi @JustDravee Thanks for judging I want you to please re-evaluate this report. Since lookout marked this duplicate of bot but findings contained by this is not duplicate from bot/analyzer report.

L-01 talks about adding Remove nonReentrant modifier from internal functions and place on the external/public functions where these internal functions called Since externals have involved with transferring and nonReentrant is on internals so not protecting external functions from re-entrancy completely. And while L-06 in bot covers different function deposit and do not covers functions withdraw and withdrawIBT which is covered by this report. So L-06 in bot not stating this problem completely while my report does removing nonRentarnt from internal then place on externals. And in my report L-01 covers only those instances which were not covered by bot. Since this problem is not trivial rather it is real flaw. And fixing bot instance will not fix my reported instances so it can be considered valid.

L-02 and L-03 is not present in bot and they are completely different issues. You can check them in report for validity.

Since in some reports grade-b is given for 3 valid lows in QA report. By that curve this report can also be considered grade-b.

Thanks

JustDravee commented 7 months ago

Hey @thenua3bhai L-01 is actually counter productive and the Spectra team did a very good job at protecting the before-hooks. Even future code or wrapper contracts would trigger those protections instead of thinking of protecting every entrypoint. The functions you think aren't covered, are actually covered, as they always end-up calling a protected internal function. L-02 is already taken care of by the code L-03 : how is that even an attack instead of a feature?

Nothing is valid, therefore this is grade C