hats-finance Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777 issues

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition

0 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Audit Report Draft Update

#91 shayzluf opened 8 months ago
0
Missing checks for address(0x0) when updating address state variables

#90 hats-bug-reporter[bot] opened 1 year ago
1
Missing checks for address(0x0) in the constructor/initializer

#89 hats-bug-reporter[bot] opened 1 year ago
1
Missing contract-existence checks before low-level calls

#88 hats-bug-reporter[bot] opened 1 year ago
1
decimals() is not a part of the ERC-20 standard

#87 hats-bug-reporter[bot] opened 1 year ago
1
Loss of precision

#86 hats-bug-reporter[bot] opened 1 year ago
1
VestingCvg::createVestingSchedule() - since state variable `nextVestingScheduleId` starts at `1`, `0` is available to be used for invalid `_vestingType` values. Is this intended functionality?

#85 hats-bug-reporter[bot] opened 1 year ago
1
VestingCvg::createVestingSchedule() - no proper input validation for parameter `_vestingType`, seems can pass any arbitrary value...

#84 hats-bug-reporter[bot] opened 1 year ago
1
VestingCvg::getInfoVestingTokenId() - should use `external` visibility modifier.

#83 hats-bug-reporter[bot] opened 1 year ago
4
VestingCvg:: Missing address(0) checks for several functions.

#82 hats-bug-reporter[bot] opened 1 year ago
1
VestingCvg::constructor() - Recommended to emit events for state variables in constructor that can/will be changed later again, as well as should emit events in all functions that change state.

#81 hats-bug-reporter[bot] opened 1 year ago
1
VestingCvg:: `using SafeERC20 for IERC20` is implemented but not applied to any of the contract's transfer functions.

#80 hats-bug-reporter[bot] opened 1 year ago
2
VestingCvg:: Strongly recommend to not have a floating pragma, and definitely not when the solidity version is as old as 0.8.0.

#79 hats-bug-reporter[bot] opened 1 year ago
1
Price is computed incorrectly for curve tripool tokens

#78 hats-bug-reporter[bot] opened 1 year ago
1
Release after begin of schedule sometimes doesn't change balances within the acceptable range

#77 hats-bug-reporter[bot] opened 1 year ago
2
Token prices aren't computed correctly

#76 hats-bug-reporter[bot] opened 1 year ago
3
Due to lack of a function to remove an existing bond (`bondId`), a user would still be able to deposit a bonded-token into the existing bond (`bondId`) via the ibo#`deposit()` even if the bonded-token was exploited

#75 hats-bug-reporter[bot] opened 1 year ago
1
Precision Loss on the `computeCvgExpected` function

#74 hats-bug-reporter[bot] opened 1 year ago
2
Lack validation in `createBond` function

#73 hats-bug-reporter[bot] opened 1 year ago
1
A IBO NFT holder can claim $CVG tokens even before the IBO period is started and even after the IBO period is end

#72 hats-bug-reporter[bot] opened 1 year ago
1
Sale State in White Listing presale does not enforce a sequential transition

#71 hats-bug-reporter[bot] opened 1 year ago
1
Granting Preseed is validated against a wrong Sale State

#70 hats-bug-reporter[bot] opened 1 year ago
1
Sale state in Presale has sequential transitions, but there are no validations to honour that sequence

#69 hats-bug-reporter[bot] opened 1 year ago
1
The owner may assign a **stale timestamp** into the `_startTimestamp` parameter due to lack of the input validation

#68 hats-bug-reporter[bot] opened 1 year ago
1
The `startingTimestamp` of each vesting (Seed, Presale, IBO, Team, DAO) may not be aligned due to lack of the validation

#67 hats-bug-reporter[bot] opened 1 year ago
1
Lack of the setter function for the ibo contract

#66 hats-bug-reporter[bot] opened 1 year ago
1
Lack of a logic to `reset` the vesting term of an existing bonding position

#65 hats-bug-reporter[bot] opened 1 year ago
1
Lack of validation to check whether or not the `totalAmount` would already reach or exceed the `totalAmountReleased`, which lead to that the user won't be able to receive the $CVG tokens-released for the IBO even if the user claim it by calling the VestingCvg#`releaseIbo()`

#64 hats-bug-reporter[bot] opened 1 year ago
1
Frontrunning Attack

#63 hats-bug-reporter[bot] opened 1 year ago
1
Incorrect check of stale price can lead to DoS and the use of a stale price in the Ibo contract

#62 hats-bug-reporter[bot] opened 1 year ago
2
Upgradeable contracts should implement a storage gap

#61 hats-bug-reporter[bot] opened 1 year ago
1
Check that call is from EOA may not hold true in the future

#60 hats-bug-reporter[bot] opened 1 year ago
1
Use of hardcoded address may cause issues on different chains

#59 hats-bug-reporter[bot] opened 1 year ago
1
Use `_safeMint` instead of `_mint` to avoid trapped ERC721 tokens

#58 hats-bug-reporter[bot] opened 1 year ago
1
ERC20 tokens that do not return `bool` are incompatible with Ibo.sol

#57 hats-bug-reporter[bot] opened 1 year ago
1
Missing check if Chainlink sequencer is down

#56 hats-bug-reporter[bot] opened 1 year ago
1
Chainlink aggregators return the incorrect price if it drops below `minAnswer`

#55 hats-bug-reporter[bot] opened 1 year ago
1
`CvgOracle#getPriceAggregator` may return stale or incorrect price

#54 hats-bug-reporter[bot] opened 1 year ago
1
A malicious IBO NFT holder can claim for receiving the `amountToRelease` of $CVG tokens-released for the IBO multiple times by reusing the same `_tokenId` of a IBO NFT

#53 hats-bug-reporter[bot] opened 1 year ago
1
UniV3 price calculation susceptible to flashloan exploits

#52 hats-bug-reporter[bot] opened 1 year ago
1
Improper transfer of ownership in constructor

#51 hats-bug-reporter[bot] opened 1 year ago
1
Dangerous hardcoded stablecoin to 1 USD

#50 hats-bug-reporter[bot] opened 1 year ago
1
Poor naming of variable isStalePrice

#49 hats-bug-reporter[bot] opened 1 year ago
1
The Ibo#`getTotalCvgDue()` will return the less total CVG due amount than the actual total CVG due amount - if more than four bonds (bond IDs) would be created

#48 hats-bug-reporter[bot] opened 1 year ago
1
Revert in the `computeRoi` function due to `ln`calculation

#47 hats-bug-reporter[bot] opened 1 year ago
4
Code differs documentation on vesting terms on existing bonding positions

#46 hats-bug-reporter[bot] opened 1 year ago
1
Phishing Attack

#45 hats-bug-reporter[bot] opened 1 year ago
1
Centralization risk: Owner able to maliciously affect bonds prices

#44 hats-bug-reporter[bot] opened 1 year ago
1
Centralization risk & Rug Pull: Owner Able to set any token address, crashing market

#43 hats-bug-reporter[bot] opened 1 year ago
1
Centralisation risk: Owner Able to set malicious Oracle Address

#42 hats-bug-reporter[bot] opened 1 year ago
1