search

code-423n4 / 2024-08-superposition-findings

1 stars 0 forks source link

QA Report #168

Open howlbot-integration[bot] opened 2 months ago

howlbot-integration[bot] commented 2 months ago

See the markdown file with the details of this report here.

af-afk commented 2 months ago

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-01-a-user-can-burn-their-position-before-the-nft-manager-transfers-it We'll fix this. We're going to remove the burn position function.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-02-a-pool-can-be-re-initialized-by-setting-the-price-to-zero We will add a initialised field for hygiene!

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-03-mod-operation-doesnt-revert-on-overflow-in-release-mode We're interested if this translates into an issue that can be identified anywhere. We'll make the recommended adjustment.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-04-file-allows-a-version-of-solidity-that-is-susceptible-to-selector-related-optimizer-bug We won't fix this, unless it can be identified that this causes an issue.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-05-vulnerability-to-storage-write-removal Does this actually affect us? It doesn't seem like we're in the affected group.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-06-payable-function-does-not-transfer-eth This is a dupe. We'll make the change.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-07-nft-ownership-doesnt-support-hard-forks We don't believe in practice this is something to be concerned about. So we're not going to make this adjustment.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-08-use-of-abiencodewithsignatureabiencodewithselector-instead-of-abiencodecall We won't make the change.

https://github.com/code-423n4/2024-08-superposition-findings/blob/main/data/DadeKuma-Q.md#l-09-lack-of-two-step-update-for-updating-protocol-addresses The power for this will be vested in the DAO, so we won't include this behaviour, as it'll likely be protected at that level.

af-afk commented 2 months ago

Updated the above

af-afk commented 2 months ago

https://github.com/fluidity-money/long.so/commit/7c76316e2476954b8cede36cf4378238b9361b7e

c4-judge commented 2 months ago

alex-ppg marked the issue as grade-a

thebrittfactor commented 1 month ago

For awarding purposes, C4 staff have marked as 3rd place.