Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

code4rena #84

Merged
merged 20 commits into from
Jun 2, 2022
Merged

code4rena #84

merged 20 commits into from
Jun 2, 2022

Conversation

0xMaharishi
Copy link
Contributor

@0xMaharishi 0xMaharishi commented May 29, 2022

Findings & resolution

Code4rena findings, post filter, and ordered by contract name. Commits are done alphabetically from top down (1st commit = Aura.sol, 2nd commit = AuraBalRewardPool.sol, and so on) to aide in reviewing.


Contract Severity ID Note/Fix URL
Aura.sol 1 34 Add protection on updateOperator code-423n4/2022-05-aura-findings#34
Aura.sol 1 125 Add second variable code-423n4/2022-05-aura-findings#125
Aura.sol 0 24 Remove libs from aura token code-423n4/2022-05-aura-findings#24
AuraBalRewardPool.sol 1   Withdraw to treasuryDAO before rewards start. Also mutate AuraLocker. Backup incase bug is found in system, to prevent auraBAL locking  
AuraBalRewardPool.sol 0 123 Protections on constructor code-423n4/2022-05-aura-findings#123
AuraBalRewardPool.sol 0 167 Remove safemath from AuraBalRewardPool code-423n4/2022-05-aura-findings#167
AuraClaimZap.sol 2 108 Fix as per comment code-423n4/2022-05-aura-findings#108
AuraLocker.sol 2 261 maxRewardRate code-423n4/2022-05-aura-findings#261
AuraLocker.sol 2 278 Add blacklisting code-423n4/2022-05-aura-findings#278
AuraLocker.sol 2 178 max reward tokens on aura locker Add method to “claimExtras” w/ overload code-423n4/2022-05-aura-findings#178
AuraLocker.sol 1 1 Make queueNewRewards generic and update calls code-423n4/2022-05-aura-findings#1
AuraLocker.sol 0 28 Remove ABIEncoder code-423n4/2022-05-aura-findings#28
AuraLocker.sol 0 156 Just change this to amount code-423n4/2022-05-aura-findings#156
AuraLocker.sol 0 212 Just add code-423n4/2022-05-aura-findings#212
AuraMerkleDrop.sol 1   Allow withdraw to treasuryDAO within first week before it has started  
AuraMerkleDrop.sol 1 316 Subtract pending penalty code-423n4/2022-05-aura-findings#316
AuraMerkleDrop.sol 0 95 Add check for non zero addr code-423n4/2022-05-aura-findings#95
AuraMerkleDrop.sol 0 268 move penalty forwarder to constructor code-423n4/2022-05-aura-findings#268
AuraMinter.sol 0 10 Comment code-423n4/2022-05-aura-findings#10
AuraVestedEscrow.sol 1 133 Fix as per comment. ALSO check for mismatching array lengths code-423n4/2022-05-aura-findings#133
AuraVestedEscrow.sol 0 126 Simple check to disallow funding code-423n4/2022-05-aura-findings#126
BalLiquidityProvider.sol 1 90 Add check code-423n4/2022-05-aura-findings#90
BalLiquidityProvider.sol 0 285 add ≥ code-423n4/2022-05-aura-findings#285
BaseRewardPool.sol 2 178 max reward tokens on baserewardpool - just add if(max) then do nothing. To avoid bricking, don’t revert. Only called from 2 places: Booster & ExtraRewardsStashV3. StashV3: avoid bricking by limiting manual reward addition. Booster: manual check, will never need more than 10 code-423n4/2022-05-aura-findings#178
BaseRewardPool4626.sol 1 39 SafeMath usage code-423n4/2022-05-aura-findings#39
Booster.sol 1 243 owner sets vote delegate & feeManager code-423n4/2022-05-aura-findings#243
ConvexMasterChef.sol 2 313 Add reentrancyguard code-423n4/2022-05-aura-findings#313
ConvexMasterChef.sol 1 147 remove with update arg, add limit && for add, disable rewardToken or duplicates code-423n4/2022-05-aura-findings#147
CrvDepositor.sol 2 341 consider disabling minting if cooldown to avoid bpt getting locked code-423n4/2022-05-aura-findings#341
CrvDepositor.sol 1 343 If the lock is > 1 week old, increase lock time code-423n4/2022-05-aura-findings#343
CrvDepositorWrapper.sol 2 115 Temporary measure to avoid system freezing is to allow the keeper to set a minOut override code-423n4/2022-05-aura-findings#115
EstraRewardsDistributor.sol 2 50 Add validation code-423n4/2022-05-aura-findings#50
ExtraRewardsDistributor.sol 1 240 Whitelisted accs only can add code-423n4/2022-05-aura-findings#240
ExtraRewardsDistributor.sol 1 180 Whitelisted accs only can add code-423n4/2022-05-aura-findings#180
ExtraRewardsDistributor.sol 1 5 Simply add > 0. Doesn’t do much tbh but already changing smth else code-423n4/2022-05-aura-findings#5
ExtraRewardsDistributor.sol 0 230 Make fn private & add reentrancyguard code-423n4/2022-05-aura-findings#230
Interfaces.sol 0 249 remove abicoderv2 code-423n4/2022-05-aura-findings#249
Many 0 172 compiler and comments code-423n4/2022-05-aura-findings#172
Many 0 107 mass update and lock compiler v code-423n4/2022-05-aura-findings#107
PenaltyForwarder.sol 0 49 Mutate ExtraRewardsDistributor code-423n4/2022-05-aura-findings#49
StashFactoryV2.sol 0 362 add non zero gauge check code-423n4/2022-05-aura-findings#362

@0xMaharishi 0xMaharishi marked this pull request as draft May 29, 2022 16:03
@0xMaharishi 0xMaharishi marked this pull request as ready for review May 30, 2022 15:59
* test: increase test coverage
* test: fix max limit tx on fork tests
contracts/AuraBalRewardPool.sol Outdated Show resolved Hide resolved
contracts/AuraMerkleDrop.sol Show resolved Hide resolved
contracts/AuraPenaltyForwarder.sol Show resolved Hide resolved
contracts/AuraPenaltyForwarder.sol Show resolved Hide resolved
contracts/BalLiquidityProvider.sol Show resolved Hide resolved
0xahtle7 and others added 2 commits June 2, 2022 17:55
* test: increase test coverage on AuraMerkleDrop
* test: increase test coverage on BalLiquidityProvider
* test: increase test coverage on AuraBalRewardPool
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants