Brean0
commented
2 months ago QA-01: The Basin Development community accepts this risk and considers the responsibility of verifying the tokens being used in the Well to be the developer themselves.
QA-02: We disagree with this analysis, as the Lookup table is a binary tree, meaning a price can be found in O(log2). In the recommended Mitigation steps, it can be seen that that specific example would take 6 checks rather than 4 checks in the code. In practice, an if ladder with an ascending order described would have significantly more checks. The most efficient binary tree would require analysis of a stable Well, and map the most frequent price ranges near the top of the binary tree. This is not possible currently given that a 1) a Stable Well does not exist yet, and 2) this would depend on a per well basis, depending on how well the coins retain like-value.
QA-03: Given there is no damage that can occur, we accept this can occur, but will not update the code to prevent this behaviour.
QA-04: If the if block is not hit (i.e, address(this) == ___self) in the modifier, then the function that is called with this modifier must have been called by the contract, and thus is not delegated. This is the same logic seen in OpenZeppelin's notDelegated modifier.
QA-05, QA-06: Accepted, inline docs will be updated to reflect this change.
c4-judge
See the markdown file with the details of this report here.