Skip to content

artiffine-vojtech/rewardable-contracts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
packages
packages
 
 
.gitignore
.gitignore
 
 
.prettierrc
.prettierrc
 
 
README.md
README.md
 
 
package.json
package.json
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

Rewardable V2 Contracts

Audit

General Comments

  1. Overview Section, page 7

Add RewardDistributorV1LZ contract in the report Overview section, it is the most important contract in the project and is missing in the list, even though it was audited.

Issues

  1. MAC - Missing Access Control - FIXED, added a check that the method can be called only by user himself or by approved sponsor admin addresses

  2. ISRP - Inadequate Signature Replay Protection - ACKNOWLEDGE, NOT A BUG, SEE BELOW

We have adequate replay protection mechanism, as backend always signs number of all REWARDS accrued per user. Contract keeps track in in withdrawnRewards how much was already withdrawn. So even if someone tries to reuse signature, he cannot be able to withdraw more than totalAmount - withdrawnRewards, you can see it in line 253.

  1. PLAM - Potential Liquidity Amount Manipulation - FIXED, added a fixed range restriction for positions, that can be staked
  2. APW - Admin Privileged Withdrawals - ACKNOWLEDGE, multisig is used
  3. CCR - Contract Centralization Risk - ACKNOWLEDGE, multisig is used
  4. IAC - Inadequate Access Control - FIXED, added onlyOwner modifier
  5. IAI - Inadequate Admin Initialization - ACKNOWLEDGE, the checks are performed in the deployment scripts
  6. ISV - Inadequate Signature Verification - ACKNOWLEDGE, NOT A BUG, we actually check that tokenAdmin signed the message
  7. MCM - Misleading Comment Messages - FIXED, added correct comment message
  8. MEM - Missing Error Messages - FIXED, error message added
  9. MSC - Missing Sanity Check - FIXED, sanity check added
  10. MTLV - Missing Time Lock Validation - ACKNOWLEDGE
  11. MU - Modifiers Usage - ACKNOWLEDGE
  12. PL TM - Potential Lock Time Manipulation - ACKNOWLEDGE
  13. PTAI - Potential Transfer Amount Inconsistency - ACKNOWLEDGE, there is no tax on token transfers
  14. RFD - Redundant Function Declaration - ACKNOWLEDGE
  15. RSML - Redundant SafeMath Library - ACKNOWLEDGE
  16. SVMC - Signature Validation Missing ChainID - ACKNOWLEDGE
  17. TSI - Tokens Sufficiency Insurance - ACKNOWLEDGE, the process is intentionally split to two methods to align with offchain processes
  18. L04 - Conformance to Solidity Naming Conventions - ACKNOWLEDGE
  19. L16 - Validate Variable Setters - ACKNOWLEDGE
  20. L19 - Stable Compiler Version - ACKNOWLEDGE

We do believe that these findings are not a bug and can be completely removed from the audit: 2. ISRP - Inadequate Signature Replay Protection 8. ISV - Inadequate Signature Verification

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages