Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit 1 #66

Merged
merged 2 commits into from
Sep 17, 2024
Merged

audit 1 #66

merged 2 commits into from
Sep 17, 2024

Conversation

0xNe0x1
Copy link
Contributor

@0xNe0x1 0xNe0x1 commented Sep 16, 2024

No description provided.

0xNe0x1
0xNe0x1 commented Sep 17, 2024
View reviewed changes
audits/v3/Audit1.md

**Description**

In the `_validatePreConditions` function, the contract checks if `payment.deadline < block.timestamp * 1000`. Since `block.timestamp` returns the current block timestamp in seconds, multiplying it by 1000 converts it to milliseconds. This means `payment.deadline` is expected to be in milliseconds, which may cause confusion and inconsistencies, as most Solidity time-related functions and variables use seconds.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. Millisecond-based deadlines are necessary to differentiate between duplicate payments during the validation process.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will document it clearly.

audits/v3/Audit1.md

**Description**

In the `_payReceiver` function, when `payment.receiverType == 0` and `payment.tokenOutAddress` is an ERC20 token, the contract transfers `payment.paymentAmount` to `payment.paymentReceiverAddress` without checking if the address is `address(0)`. If `payment.paymentReceiverAddress` is `address(0)`, the tokens will be sent to the zero address, effectively burning them, which may not be the intended behavior.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using DePay to burn tokens might be intentional. We can address this in the SDKs by giving users control over the process, rather than completely preventing it.

audits/v3/Audit1.md

**Description**

If users accidentally send Ether to the contract without proper interaction (e.g., directly sending Ether to the contract's address), or if there are rounding errors and leftover Ether after operations, these funds may remain stuck in the contract. While the owner can withdraw tokens via the `withdraw` function, regular users cannot retrieve their mistakenly sent funds.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Calculating excess funds would result in an unnecessary increase in gas usage due to the conditional checks required. In worst-case scenarios, the owner can withdraw and return the excess Ether. However, this situation should not occur, as the SDKs can prevent it, and input amounts are confirmed and signed by the users.

@0xNe0x1 0xNe0x1 merged commit 291a67d into v3 Sep 17, 2024
6 of 9 checks passed
@0xNe0x1 0xNe0x1 deleted the v3-audit-1 branch September 17, 2024 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@0xNe0x1