QA Report #150
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Table of Contents
Low Risk Issues
Non-critical Issues
Low Risk Issues
[L-01] Admin Address Change should be a 2-Step Process
Issue
The function changes an admin account with single process.
This can be a concern since an admin role has a high privilege in the contract and
mistakenly setting a new admin to an incorrect address will end up losing that privilege.
PoC
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Note.sol#L21-L27
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/NoteInterest.sol#L109-L114
Mitigation
This can be fixed by implementing 2-step process. We can do this by following.
First make the function approve a new address as a pending admin.
Next that pending admin has to claim the ownership in a separate transaction to be a new admin.
[L-02] Require should be used instead of Assert
Issue
Solidity documents mention that properly functioning code should never reach a failing assert statement
and if this happens there is a bug in the contract which should be fixed.
Reference: https://docs.soliditylang.org/en/v0.8.15/control-structures.html#panic-via-assert-and-error-via-require
PoC
Mitigation
Replace assert by require.
[L-03] Immutable addresses should 0-Check
Issue
I recommend adding check of 0-address for immutable addresses.
Not doing so might lead to non-functional contract when it is updated to 0-address accidentally.
PoC
4 immutable addresses of "USDC", "Comptroller", "factory" and "wcanto" of BaseV1-periphery.sol
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L91-L97
Mitigation
Add 0-address check for above 4 immutable addresses.
Non-critical Issues
[N-01] Require Statements without Descriptive Revert Strings
Issue
It is best practice to include descriptive revert strings for require statement for readability and auditing.
PoC
Mitigation
Add descriptive revert strings to easier understand what the code is trying to do.
[N-02] Unnecessary Use of Named Returns
Issue
Several function adds return statement even thought named returns variable are used.
Remove unnecessary named returns variable to improve code readability.
Also keeping the use of named returns or return statement consistent through out the whole project
if possible is recommended.
PoC
BaseV1-core.sol
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-core.sol#L141-L143
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-core.sol#L206-L214
BaseV1-periphery.sol
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L135-L147
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L489-L535
GovernorAlpha.sol
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L218-L221
GovernorBravoDelegate.sol
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorBravoDelegate.sol#L102-L105
Mitigation
Remove unused named returns variable and keep the use of named returns or return statement consistent
through out the whole project if possible.
[N-03] Should Resolve TODOs before Deployment
Issue
Questions/Issues in the code should be resolved before the deployment.
PoC
Mitigation
Resolve the question/issue and remove TODO comment from code.
[N-04] Constant Naming Convention
Issue
Constants should be named with all capital letters with underscores separating words.
Reference: https://docs.soliditylang.org/en/v0.8.15/style-guide.html?highlight=naming#constants
PoC
Mitigation
Name the constants with all capital letters with underscores separating words.
For examples: NAME, BLOCKS_PER_YEAR, DECIMALS
[N-05] Define Magic Numbers to Constant
Issue
It is best practice to define magic numbers to constant rather than just using as a magic number.
This improves code readability and maintainability.
PoC
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-core.sol#L332
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-core.sol#L336
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L534
Mitigation
Define magic numbers to constant.
[N-06] Use Double-Quotes for Strings
Issue
Strings should be quoted with double-quotes instead of single-quotes.
Solidity documents reference: https://docs.soliditylang.org/en/v0.8.15/style-guide.html?highlight=strings#other-recommendations
PoC
Mitigation
Change above single-quotes to double-quotes.
[N-07] Best Practices of Source File Layout
Issue
I recommend following best practices of solidity source file layout for readability.
Reference: https://docs.soliditylang.org/en/v0.8.15/style-guide.html#order-of-layout
This best practices is to layout a contract elements in following order:
Pragma statements, Import statements, Interfaces, Libraries, Contracts
Inside each contract, library or interface, use the following order:
Type declarations, State variables, Events, Modifiers, Functions
PoC
Mitigation
I recommend to follow best practice source file layout
[N-08] Event is Missing Indexed Fields
Issue
Each event should have 3 indexed fields if there are 3 or more fields.
PoC
Mitigation
Use all 3 index fields when possible.
[N-09] TYPO
Issue
Some typo was found in the following.
PoC
Change "obervations" to "observations"
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-core.sol#L64
Change "doesn"t" to "doesn't"
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L173
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L204
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Stableswap/BaseV1-periphery.sol#L230
Change "Accounant" to "Accountant"
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CNote.sol#L24
Change "efore" to "before"
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CNote.sol#L41
Change "irrelevent" to "irrelevant"
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/NoteInterest.sol#L124
Mitigation
Change to correct spelling as mentioned in above PoC
[N-10] Incomplete NatSpec
Issue
It is recommended that Solidity contracts are fully annotated using NatSpec for all public interfaces.
However there were places where this NatSpec was incomplete.
PoC
AccountantDelegate.sol
no @param for treasury_
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L11-L16
AccountantDelegator.sol
no @return
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegator.sol#L49-L52
no @return
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegator.sol#L58-L61
no @return
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegator.sol#L74-L79
GovernorBravoDelegator.sol
no @param for newPendingAdmin
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorBravoDelegator.sol#L52-L54
Mitigation
Add missing NatSpec mentioned in above PoC.
[N-11] Use fixed compiler versions instead of floating version
Issue
It is best practice to lock your pragma instead of using floating pragma.
The use of floating pragma has a risk of accidentally get deployed using latest complier
which may have higher risk of undiscovered bugs.
Reference: https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/locking-pragmas/
PoC
Mitigation
I suggest to lock your pragma and aviod using floating pragma.
The text was updated successfully, but these errors were encountered: