Skip to content

Latest commit

 

History

History
100 lines (100 loc) · 14.8 KB

8. Audit Findings 201.md

File metadata and controls

100 lines (100 loc) · 14.8 KB
Raw
  1. Document potential edge cases for hook receiver contracts
  2. Document token behavior restrictions
  3. Full test suite is recommended
  4. Kyber getRates code is unclear
  5. Return value is not used for TokenUtils.withdrawTokens
  6. Missing access control for DefiSaverLogger.Log
  7. Remove stale comments
  8. Discrepancy between code and comments
  9. Remove unnecessary call to DAOfiV1Factory.formula()
  10. Deeper validation of curve math
  11. GovernorAlpha proposals may be canceled by the proposer, even after they have been accepted and queued
  12. Require a delay period before granting KYC_ADMIN_ROLE Acknowledged
  13. Improve inline documentation and test coverage
  14. Unspecific compiler version pragma
  15. Use of hardcoded gas limits can be problematic
  16. Anyone can steal all the funds that belong to ReferralFeeReceiver
  17. Unpredictable behavior for users due to admin front running or general bad timing
  18. Improve system documentation and create a complete technical specification
  19. Ensure system states, roles, and permissions are sufficiently restrictive
  20. Evaluate all tokens prior to inclusion in the system
  21. Use descriptive names for contracts and libraries
  22. Prevent contracts from being used before they are entirely initialized
  23. Potential resource exhaustion by external calls performed within an unbounded loop
  24. Owners can never be removed
  25. Potential manipulation of stable interest rates using flash loans
  26. Only whitelist validated assets
  27. Underflow if TOKEN_DECIMALS are greater than 18
  28. Chainlink's performance at times of price volatility
  29. Consider an iterative approach to launching. Be aware of and prepare for worst-case scenarios
  30. Use of modifiers for repeated checks
  31. Switch modifier order
  32. Address codebase fragility
  33. Reentrancy could lead to incorrect order of emitted events
  34. Variable shadowing from OUSD to ERC20
  35. VaultCore.rebase functions have no return statements
  36. Multiple contracts are missing inheritances
  37. Solidity compiler optimizations can be dangerous
  38. Permission-granting is too simplistic and not flexible enough
  39. Lack of validation when setting the maturity value
  40. Delegates can be added or removed repeatedly to bloat logs
  41. Lack of events for critical operations
  42. _assertStakingPoolExists never returns true
  43. min* and max* have unorthodox semantics
  44. CurveFactory.newCurve returns existing curves without provided arguments
  45. Missing zero-address checks in Curve.transferOwnership and Router.constructor
  46. safeApprove does not check return values for approve call
  47. ERC20 token Curve does not implement symbol, name, or decimals
  48. Insufficient use of SafeMath
  49. setFrozen can be front-run to deny deposits-swaps
  50. Account creation spam
  51. Using empty functions instead of interfaces leaves contract error-prone
  52. cancelTransaction can be called on non-queued transaction
  53. Contracts used as dependencies do not track upstream changes
  54. Expected behavior regarding authorization for adding tokens is unclear
  55. Contract name duplication leaves codebase error-prone
  56. Use of hard-coded addresses may cause errors
  57. Borrow rate depends on approximation of blocks per year
  58. Flash loan rate lacks bounds and can be set arbitrarily
  59. Logic duplicated across code
  60. Insufficient testing
  61. Project dependencies contain vulnerabilities
  62. Lack of contract documentation makes codebase difficult to understand
  63. ABIEncoderV2 is not production-ready
  64. Contract owner has too many privileges
  65. Poor error-handling practices in test suite
  66. Redundant and Unused Code
  67. Single Account Can Capture All Supply
  68. Insufficient Input Validation
  69. Unused Event Logs
  70. Possible Unintended Token Burning in transferFrom() Function
  71. Denial of Service Vector from Unbound List
  72. ERC20 Implementation Vulnerable to Front-Running
  73. Unnecessary require Statement
  74. Rounding to Zero if Duration is Greater Than Reward
  75. Withdrawn Event Log Poisoning
  76. Insufficient incentives to liquidator
  77. Markets can become insolvent
  78. Not using OpenZeppelin contracts
  79. Lack of indexed parameters in events
  80. Named return variables
  81. block.timestamp Unreliable
  82. Assignment in require statement
  83. Commented code
  84. Misleading revert messages
  85. Multiple outdated Solidity versions in use
  86. Test and production constants in the same codebase
  87. Unnecessarily small integer sizes
  88. Use of uint instead of uint256
  89. Functions with unexpected side-effects
  90. Unsafe casting
  91. Unsafe division in rdivide and wdivide functions
  92. Uncommented assembly block
  93. Unnecessary require statements
  94. Unnecessary event emission
  95. oToken can be created with a non-whitelisted collateral asset
  96. Mismatches between contracts and interfaces
  97. Actions not executed atomically might lead to inconsistent state
  98. Chainlink pricer is using a deprecated API
  99. Funds can be lost
  100. Use delete to clear variables