Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #348

Open
code423n4 opened this issue May 25, 2022 · 0 comments
Open

QA Report #348

code423n4 opened this issue May 25, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

[N] Contract file name does not follow coding conventions

Having a consistent naming style in the project leads to fewer errors.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L20

contract AuraToken is ERC20 {

The filename Aura.sol should be AuraToken.sol.

[N] Misleading comment

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L386-L389

// e.g. now = 16
// if contract is shutdown OR latest lock unlock time (e.g. 17) <= now - (1)
// e.g. 17 <= (16 + 1)
if (isShutdown || locks[length - 1].unlockTime <= expiryTime) {

At L387 now - (1) = 16 - 1 = 15. The comment is wrong.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L108-L111

// e.g. (new) reduction = (500 - 100) * 2.5 + 700 = 1700;
// e.g. (new) reduction = (500 - 250) * 2.5 + 700 = 1325;
// e.g. (new) reduction = (500 - 400) * 2.5 + 700 = 950;
uint256 reduction = totalCliffs.sub(cliff).mul(5).div(2).add(700);

2.5

[L] Critical operations should emit events

Across the contracts, there are certain critical operations that change critical values that affect the users of the protocol.

It's a best practice for these setter functions to emit events to record these changes on-chain for off-chain monitors/tools/interfaces to register the updates and react if necessary.

Instances include:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/cCrv.sol#L38-L41

function setOperator(address _operator) external {
    require(msg.sender == operator, "!auth");
    operator = _operator;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L62-L65

function setFeeManager(address _feeManager) external {
    require(msg.sender == feeManager, "!auth");
    feeManager = _feeManager;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L67-L70

function setDaoOperator(address _daoOperator) external {
    require(msg.sender == daoOperator, "!auth");
    daoOperator = _daoOperator;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L72-L78

function setFees(uint256 _lockIncentive) external{
    require(msg.sender==feeManager, "!auth");

    if(_lockIncentive >= 0 && _lockIncentive <= 30){
        lockIncentive = _lockIncentive;
    }
}

[L] Precision loss due to div before mul

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L73

uint256 minOut = (((amount * 1e18) / bptOraclePrice) * minOutBps) / 10000;

Recommendation

Can be changed to:

uint256 minOut = (((amount * 1e18) * minOutBps) / bptOraclePrice) / 10000;
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 25, 2022
code423n4 added a commit that referenced this issue May 25, 2022
@0xMaharishi 0xMaharishi added the duplicate This issue or pull request already exists label May 28, 2022
@dmvt dmvt removed the duplicate This issue or pull request already exists label Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

3 participants