-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.json
548 lines (548 loc) · 39.2 KB
/
config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
{
"client_name": "Xave Finance",
"commit_hash": "01486a398b0aa36b9798ba06fce11b5d3376909d",
"date": "October 2021",
"date_interval": "October 18th to October 29th, 2021",
"issues": [
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\nShould validate approval before sending tokens, especially since there is the possibility to implement a hook.\r\n\r\n**Recommendation**\r\n\r\nPrefer to update (and check) approval\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/lib/ERC20.sol#L119-L123\r\n\r\nBefore the actual transfer of tokens\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/lib/ERC20.sol#L118\r\n",
"closed_at": "2021-10-29T07:44:20Z",
"comments": 3,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7/comments",
"created_at": "2021-10-26T09:13:27Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/7",
"id": 1036042103,
"labels": [
{
"color": "FF9500",
"default": false,
"description": null,
"id": 3475632774,
"name": "Medium",
"node_id": "LA_kwDOGQeFgs7PKfKG",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Medium"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49wL93",
"number": 7,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "closed",
"state_reason": "completed",
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7/timeline",
"title": "transferFrom should validate approval before transfer",
"updated_at": "2021-10-29T07:44:30Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/7",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/547012?v=4",
"events_url": "https://api.github.com/users/cleanunicorn/events{/privacy}",
"followers_url": "https://api.github.com/users/cleanunicorn/followers",
"following_url": "https://api.github.com/users/cleanunicorn/following{/other_user}",
"gists_url": "https://api.github.com/users/cleanunicorn/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/cleanunicorn",
"id": 547012,
"login": "cleanunicorn",
"node_id": "MDQ6VXNlcjU0NzAxMg==",
"organizations_url": "https://api.github.com/users/cleanunicorn/orgs",
"received_events_url": "https://api.github.com/users/cleanunicorn/received_events",
"repos_url": "https://api.github.com/users/cleanunicorn/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/cleanunicorn/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/cleanunicorn/subscriptions",
"type": "User",
"url": "https://api.github.com/users/cleanunicorn"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\n`WETH9` state variable never changes therefore it can be defined as a constant to save gas costs:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/buyback/Treasury.sol#L26\r\n",
"closed_at": null,
"comments": 0,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6/comments",
"created_at": "2021-10-26T07:43:38Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/6",
"id": 1035947982,
"labels": [
{
"color": "667788",
"default": false,
"description": null,
"id": 3475632699,
"name": "Report",
"node_id": "LA_kwDOGQeFgs7PKfI7",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Report"
},
{
"color": "FFCC00",
"default": false,
"description": null,
"id": 3475632737,
"name": "Minor",
"node_id": "LA_kwDOGQeFgs7PKfJh",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Minor"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49v0_O",
"number": 6,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6/timeline",
"title": "WETH9 state variable can be made constant to save gas costs",
"updated_at": "2024-03-20T07:44:42Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/6",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/547012?v=4",
"events_url": "https://api.github.com/users/cleanunicorn/events{/privacy}",
"followers_url": "https://api.github.com/users/cleanunicorn/followers",
"following_url": "https://api.github.com/users/cleanunicorn/following{/other_user}",
"gists_url": "https://api.github.com/users/cleanunicorn/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/cleanunicorn",
"id": 547012,
"login": "cleanunicorn",
"node_id": "MDQ6VXNlcjU0NzAxMg==",
"organizations_url": "https://api.github.com/users/cleanunicorn/orgs",
"received_events_url": "https://api.github.com/users/cleanunicorn/received_events",
"repos_url": "https://api.github.com/users/cleanunicorn/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/cleanunicorn/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/cleanunicorn/subscriptions",
"type": "User",
"url": "https://api.github.com/users/cleanunicorn"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\nThere are several places in the RNBW related contracts that perform loops over dynamic variables:\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/RnbwDistributionManager.sol#L53-L54\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/RnbwDistributionManager.sol#L152-L153\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/RnbwDistributionManager.sol#L179-L180\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/RnbwIncentivesController.sol#L99-L100\r\n\r\nhttps://github.com/akiratechhq/review-halo-dao-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/incentives/RnbwIncentivesController.sol#L129-L130\r\n\r\n\r\n\r\n**Recommendation**\r\n\r\nCache the length locally and use the local variable in the loop.\r\n\r\n**Reference**\r\n\r\nAn example was created to illustrate the gas difference with or without length cache.\r\n\r\nNot using a cache, for a set of 10 iterations uses 47850 gas:\r\n\r\n```solidity\r\npragma solidity 0.6.12;\r\n\r\ncontract SumNumbers {\r\n uint[] public numbers;\r\n \r\n constructor(uint size) public {\r\n // Add some data to work with\r\n for (uint i = 0; i < size; i++) {\r\n numbers.push(i);\r\n }\r\n }\r\n \r\n // for size == 10, gas cost: 47850\r\n function sumNumbers() public view returns (uint) {\r\n uint sum;\r\n for(uint i = 0; i < numbers.length; i++) {\r\n sum += numbers[i];\r\n }\r\n \r\n return sum;\r\n }\r\n}\r\n```\r\n\r\nUsing a cache, for the same set of 10 iterations uses 46861 gas:\r\n\r\n```solidity\r\npragma solidity 0.6.12;\r\n\r\ncontract SumNumbersWithCache {\r\n uint[] public numbers;\r\n \r\n constructor(uint size) public {\r\n // Add some data to work with\r\n for (uint i = 0; i < size; i++) {\r\n numbers.push(i);\r\n }\r\n }\r\n \r\n // for size == 10, gas cost: 46861\r\n function sumNumbers() public view returns (uint) {\r\n uint sum;\r\n uint size = numbers.length;\r\n \r\n for(uint i = 0; i < size; i++) {\r\n sum += numbers[i];\r\n }\r\n \r\n return sum;\r\n }\r\n}\r\n```\r\n\r\nBoth contracts were compiled with 200 optimization rounds.",
"closed_at": "2021-10-28T03:27:18Z",
"comments": 1,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5/comments",
"created_at": "2021-10-25T05:02:17Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/5",
"id": 1034679935,
"labels": [
{
"color": "FFCC00",
"default": false,
"description": null,
"id": 3475632737,
"name": "Minor",
"node_id": "LA_kwDOGQeFgs7PKfJh",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Minor"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49q_Z_",
"number": 5,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "closed",
"state_reason": "completed",
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5/timeline",
"title": "Cache dynamic variables locally before using them in a loop",
"updated_at": "2021-10-29T05:23:09Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/5",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/342638?v=4",
"events_url": "https://api.github.com/users/andreiashu/events{/privacy}",
"followers_url": "https://api.github.com/users/andreiashu/followers",
"following_url": "https://api.github.com/users/andreiashu/following{/other_user}",
"gists_url": "https://api.github.com/users/andreiashu/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/andreiashu",
"id": 342638,
"login": "andreiashu",
"node_id": "MDQ6VXNlcjM0MjYzOA==",
"organizations_url": "https://api.github.com/users/andreiashu/orgs",
"received_events_url": "https://api.github.com/users/andreiashu/received_events",
"repos_url": "https://api.github.com/users/andreiashu/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/andreiashu/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/andreiashu/subscriptions",
"type": "User",
"url": "https://api.github.com/users/andreiashu"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\nIn most cases the code makes use of the OpenZeppelin's standard libraries:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/15d777ba6d5690c918bff660532b68887ef23914/code/contracts/buyback/Treasury.sol#L7-L9\r\n\r\nIn other cases, however, the code uses copy-pasted versions of the same libraries:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/15d777ba6d5690c918bff660532b68887ef23914/code/contracts/incentives/RnbwIncentivesController.sol#L6-L8\r\n\r\nBelow we show that there are not functional differences between the `./incentives/lib/Context.sol` file and the one that comes with OpenZeppelin:\r\n\r\n```diff\r\n$ diff -uN --ignore-all-space ./incentives/lib/Context.sol ../node_modules/@openzeppelin/contracts/GSN/Context.sol\r\n--- ./incentives/lib/Context.sol 2021-10-22 08:00:48.000000000 +0700\r\n+++ ../node_modules/@openzeppelin/contracts/GSN/Context.sol 2021-10-22 13:39:41.000000000 +0700\r\n@@ -1,10 +1,9 @@\r\n // SPDX-License-Identifier: MIT\r\n \r\n-pragma solidity 0.6.12;\r\n+pragma solidity ^0.6.0;\r\n \r\n-/**\r\n- * @dev From https://github.com/OpenZeppelin/openzeppelin-contracts\r\n- * Provides information about the current execution context, including the\r\n+/*\r\n+ * @dev Provides information about the current execution context, including the\r\n * sender of the transaction and its data. While these are generally available\r\n```\r\n\r\n`SafeMath.sol` is identical but the diff is bigger because of different code formatting:\r\n\r\n```diff\r\n$ diff -uN --ignore-all-space ./incentives/lib/SafeMath.sol ../node_modules/@openzeppelin/contracts/math/SafeMath.sol\r\n--- ./incentives/lib/SafeMath.sol 2021-10-22 08:00:48.000000000 +0700\r\n+++ ../node_modules/@openzeppelin/contracts/math/SafeMath.sol 2021-10-22 13:39:41.000000000 +0700\r\n@@ -1,9 +1,9 @@\r\n-// SPDX-License-Identifier: agpl-3.0\r\n-pragma solidity 0.6.12;\r\n+// SPDX-License-Identifier: MIT\r\n+\r\n+pragma solidity ^0.6.0;\r\n \r\n /**\r\n- * @dev From https://github.com/OpenZeppelin/openzeppelin-contracts\r\n- * Wrappers over Solidity's arithmetic operations with added overflow\r\n+ * @dev Wrappers over Solidity's arithmetic operations with added overflow\r\n * checks.\r\n *\r\n * Arithmetic operations in Solidity wrap on overflow. This can easily result\r\n@@ -23,11 +23,12 @@\r\n * Counterpart to Solidity's `+` operator.\r\n *\r\n * Requirements:\r\n+ *\r\n * - Addition cannot overflow.\r\n */\r\n function add(uint256 a, uint256 b) internal pure returns (uint256) {\r\n uint256 c = a + b;\r\n- require(c >= a, 'SafeMath: addition overflow');\r\n+ require(c >= a, \"SafeMath: addition overflow\");\r\n \r\n return c;\r\n }\r\n@@ -39,10 +40,11 @@\r\n * Counterpart to Solidity's `-` operator.\r\n *\r\n * Requirements:\r\n+ *\r\n * - Subtraction cannot overflow.\r\n */\r\n function sub(uint256 a, uint256 b) internal pure returns (uint256) {\r\n- return sub(a, b, 'SafeMath: subtraction overflow');\r\n+ return sub(a, b, \"SafeMath: subtraction overflow\");\r\n }\r\n \r\n /**\r\n@@ -52,13 +54,10 @@\r\n * Counterpart to Solidity's `-` operator.\r\n *\r\n * Requirements:\r\n+ *\r\n * - Subtraction cannot overflow.\r\n */\r\n- function sub(\r\n- uint256 a,\r\n- uint256 b,\r\n- string memory errorMessage\r\n- ) internal pure returns (uint256) {\r\n+ function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {\r\n require(b <= a, errorMessage);\r\n uint256 c = a - b;\r\n \r\n@@ -72,6 +71,7 @@\r\n * Counterpart to Solidity's `*` operator.\r\n *\r\n * Requirements:\r\n+ *\r\n * - Multiplication cannot overflow.\r\n */\r\n function mul(uint256 a, uint256 b) internal pure returns (uint256) {\r\n@@ -83,7 +83,7 @@\r\n }\r\n \r\n uint256 c = a * b;\r\n- require(c / a == b, 'SafeMath: multiplication overflow');\r\n+ require(c / a == b, \"SafeMath: multiplication overflow\");\r\n \r\n return c;\r\n }\r\n@@ -97,10 +97,11 @@\r\n * uses an invalid opcode to revert (consuming all remaining gas).\r\n *\r\n * Requirements:\r\n+ *\r\n * - The divisor cannot be zero.\r\n */\r\n function div(uint256 a, uint256 b) internal pure returns (uint256) {\r\n- return div(a, b, 'SafeMath: division by zero');\r\n+ return div(a, b, \"SafeMath: division by zero\");\r\n }\r\n \r\n /**\r\n@@ -112,14 +113,10 @@\r\n * uses an invalid opcode to revert (consuming all remaining gas).\r\n *\r\n * Requirements:\r\n+ *\r\n * - The divisor cannot be zero.\r\n */\r\n- function div(\r\n- uint256 a,\r\n- uint256 b,\r\n- string memory errorMessage\r\n- ) internal pure returns (uint256) {\r\n- // Solidity only automatically asserts when dividing by 0\r\n+ function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {\r\n require(b > 0, errorMessage);\r\n uint256 c = a / b;\r\n // assert(a == b * c + a % b); // There is no case in which this doesn't hold\r\n@@ -136,10 +133,11 @@\r\n * invalid opcode to revert (consuming all remaining gas).\r\n *\r\n * Requirements:\r\n+ *\r\n * - The divisor cannot be zero.\r\n */\r\n function mod(uint256 a, uint256 b) internal pure returns (uint256) {\r\n- return mod(a, b, 'SafeMath: modulo by zero');\r\n+ return mod(a, b, \"SafeMath: modulo by zero\");\r\n }\r\n \r\n /**\r\n@@ -151,13 +149,10 @@\r\n * invalid opcode to revert (consuming all remaining gas).\r\n *\r\n * Requirements:\r\n+ *\r\n * - The divisor cannot be zero.\r\n */\r\n- function mod(\r\n- uint256 a,\r\n- uint256 b,\r\n- string memory errorMessage\r\n- ) internal pure returns (uint256) {\r\n+ function mod(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {\r\n require(b != 0, errorMessage);\r\n return a % b;\r\n }\r\n```\r\n\r\n**Recommendation**\r\n\r\nRemove the following contracts from `./code/contracts/incentives/lib/` folder and make use of the version provided with OpenZeppelin: `Context`, `ERC20`, `MintableErc20`, `SafeMath`.",
"closed_at": null,
"comments": 0,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4/comments",
"created_at": "2021-10-23T06:28:19Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/4",
"id": 1034092105,
"labels": [
{
"color": "667788",
"default": false,
"description": null,
"id": 3475632699,
"name": "Report",
"node_id": "LA_kwDOGQeFgs7PKfI7",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Report"
},
{
"color": "FFCC00",
"default": false,
"description": null,
"id": 3475632737,
"name": "Minor",
"node_id": "LA_kwDOGQeFgs7PKfJh",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Minor"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49ov5J",
"number": 4,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4/timeline",
"title": "Reuse openzeppelin libraries",
"updated_at": "2024-03-20T07:44:11Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/4",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/342638?v=4",
"events_url": "https://api.github.com/users/andreiashu/events{/privacy}",
"followers_url": "https://api.github.com/users/andreiashu/followers",
"following_url": "https://api.github.com/users/andreiashu/following{/other_user}",
"gists_url": "https://api.github.com/users/andreiashu/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/andreiashu",
"id": 342638,
"login": "andreiashu",
"node_id": "MDQ6VXNlcjM0MjYzOA==",
"organizations_url": "https://api.github.com/users/andreiashu/orgs",
"received_events_url": "https://api.github.com/users/andreiashu/received_events",
"repos_url": "https://api.github.com/users/andreiashu/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/andreiashu/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/andreiashu/subscriptions",
"type": "User",
"url": "https://api.github.com/users/andreiashu"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\nThe `onlyEOA` modifier is obsolete and can be removed:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/15d777ba6d5690c918bff660532b68887ef23914/code/contracts/buyback/Treasury.sol#L98-L101\r\n",
"closed_at": null,
"comments": 0,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3/comments",
"created_at": "2021-10-23T05:55:46Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/3",
"id": 1034085750,
"labels": [
{
"color": "667788",
"default": false,
"description": null,
"id": 3475632699,
"name": "Report",
"node_id": "LA_kwDOGQeFgs7PKfI7",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Report"
},
{
"color": "34C759",
"default": false,
"description": null,
"id": 3475632722,
"name": "Informational",
"node_id": "LA_kwDOGQeFgs7PKfJS",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Informational"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49ouV2",
"number": 3,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3/timeline",
"title": "Remove obsolete modifier in `Treasury` contract",
"updated_at": "2024-03-20T07:42:37Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/3",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/342638?v=4",
"events_url": "https://api.github.com/users/andreiashu/events{/privacy}",
"followers_url": "https://api.github.com/users/andreiashu/followers",
"following_url": "https://api.github.com/users/andreiashu/following{/other_user}",
"gists_url": "https://api.github.com/users/andreiashu/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/andreiashu",
"id": 342638,
"login": "andreiashu",
"node_id": "MDQ6VXNlcjM0MjYzOA==",
"organizations_url": "https://api.github.com/users/andreiashu/orgs",
"received_events_url": "https://api.github.com/users/andreiashu/received_events",
"repos_url": "https://api.github.com/users/andreiashu/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/andreiashu/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/andreiashu/subscriptions",
"type": "User",
"url": "https://api.github.com/users/andreiashu"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\n`Treasury.buybackRnbw()` uses Uniswap V2 to convert underlying tokens into USDC:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/15d777ba6d5690c918bff660532b68887ef23914/code/contracts/buyback/Treasury.sol#L63-L69\r\n\r\nThe `deadline` argument passed to `swapExactTokensForTokens` function is 60 blocks into the future. The deadline parameter is useful for frontend and other off-chain software to ensure there's a deadline after which a swap transaction will revert.\r\n\r\nIn this case, passing just `block.timestamp` is enough to ensure correct behavior:\r\n\r\nUniswap's `swapExactTokensForTokens` [definition](https://github.com/Uniswap/v2-periphery/blob/dda62473e2da448bc9cb8f4514dadda4aeede5f4/contracts/UniswapV2Router01.sol#L179-L185):\r\n\r\n```solidity\r\n function swapExactTokensForTokens(\r\n uint amountIn,\r\n uint amountOutMin,\r\n address[] calldata path,\r\n address to,\r\n uint deadline\r\n ) external override ensure(deadline) returns (uint[] memory amounts) {\r\n```\r\n\r\nUniswap `ensure` [modifier](https://github.com/Uniswap/v2-periphery/blob/dda62473e2da448bc9cb8f4514dadda4aeede5f4/contracts/UniswapV2Router01.sol#L15-L18):\r\n\r\n```solidity\r\n modifier ensure(uint deadline) {\r\n require(deadline >= block.timestamp, 'UniswapV2Router: EXPIRED');\r\n _;\r\n }\r\n```\r\n\r\n**Recommendation**\r\n\r\nInstead of `block.timestamp + 60` just pass `block.timestamp` as the deadline argument to `swapExactTokensForTokens` call.\r\n\r\n**Notes**\r\n\r\nA similar change can be made to the `originSwap` call:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/15d777ba6d5690c918bff660532b68887ef23914/code/contracts/buyback/Treasury.sol#L81-L88\r\n\r\nThe issue here though is that you still need to add `+1` to the `block.timestamp` because of the way the `deadline` modifier in `Curve.sol` is defined. Because of this, we leave it to the Xave Finance team the decision change the call to `originSwap` since there are no (gas) benefits, although it might provide more clarity to the reader:\r\n\r\n```solidity\r\n modifier deadline(uint256 _deadline) {\r\n require(block.timestamp < _deadline, \"Curve/tx-deadline-passed\");\r\n _;\r\n }\r\n```",
"closed_at": null,
"comments": 0,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2/comments",
"created_at": "2021-10-23T05:54:02Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/2",
"id": 1034085468,
"labels": [
{
"color": "667788",
"default": false,
"description": null,
"id": 3475632699,
"name": "Report",
"node_id": "LA_kwDOGQeFgs7PKfI7",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Report"
},
{
"color": "FFCC00",
"default": false,
"description": null,
"id": 3475632737,
"name": "Minor",
"node_id": "LA_kwDOGQeFgs7PKfJh",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Minor"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49ouRc",
"number": 2,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2/timeline",
"title": "Unnecessary future `deadline` value passed to swap functions",
"updated_at": "2024-03-20T07:43:03Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/2",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/342638?v=4",
"events_url": "https://api.github.com/users/andreiashu/events{/privacy}",
"followers_url": "https://api.github.com/users/andreiashu/followers",
"following_url": "https://api.github.com/users/andreiashu/following{/other_user}",
"gists_url": "https://api.github.com/users/andreiashu/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/andreiashu",
"id": 342638,
"login": "andreiashu",
"node_id": "MDQ6VXNlcjM0MjYzOA==",
"organizations_url": "https://api.github.com/users/andreiashu/orgs",
"received_events_url": "https://api.github.com/users/andreiashu/received_events",
"repos_url": "https://api.github.com/users/andreiashu/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/andreiashu/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/andreiashu/subscriptions",
"type": "User",
"url": "https://api.github.com/users/andreiashu"
}
},
{
"active_lock_reason": null,
"assignee": null,
"assignees": [],
"author_association": "MEMBER",
"body": "**Description**\r\n\r\nThe owner of the `Treasury` can call the `buybackRnbw` function to convert one or more of the underlying tokens within a lending pool to `rnbw` tokens:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/buyback/Treasury.sol#L44\r\n\r\nThe function first uses the cloned DFX protocol to convert the token into USDC:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/buyback/Treasury.sol#L81-L88\r\n\r\nAfter that the Uniswap V2 protocol is used to convert from USDC to RNBW tokens:\r\n\r\nhttps://github.com/akiratechhq/review-xave-lending-market-2021-10/blob/fbfed0a187e9d8df75172a17a83d6cafbb5cbc8a/code/contracts/buyback/Treasury.sol#L59-L69\r\n\r\nThe issue is that in both token swap cases above, the arguments `amountOutMin` (for Uniswap) and `_minTargetAmount` (for DFX Curve contract) are passed as `0` values. This means that the `Treasury` contract does not enforce any minimum amount expected for the output of RNBW tokens swapped. \r\n\r\nThe reason why the above two implementations are vulnerable to price manipulation is explained in the Uniswap V2 [**Safety Considerations** section](https://docs.uniswap.org/protocol/V2/guides/smart-contract-integration/trading-from-a-smart-contract):\r\n\r\n> Because Ethereum transactions occur in an adversarial environment, smart contracts that do not perform safety checks can be exploited for profit. If a smart contract assumes that the current price on Uniswap is a \"fair\" price without performing safety checks, it is vulnerable to manipulation. A bad actor could e.g. easily insert transactions before and after the swap (a \"sandwich\" attack) causing the smart contract to trade at a much worse price, profit from this at the trader's expense, and then return the contracts to their original state. (One important caveat is that these types of attacks are mitigated by trading in extremely liquid pools, and/or at low values.)\r\n\r\n**Recommendation**\r\n\r\nThe best way to protect against these attacks is to use an external price feed or \"price oracle\". The best \"oracle\" is simply traders' off-chain observation of the current price, which can be passed into the trade as a safety check.\r\n\r\nThe `buybackRnbw` function can accept an additional parameter `minRNBWAmount` that can be checked after the two above steps are performed, or passed to the `swapExactTokensForTokens` Uniswap function, to ensure that an expected minimum amount of RNBW tokens were received by the `Treasury` contract.\r\n\r\nFor example, Uniswap V2 [getAmountsOut](https://docs.uniswap.org/protocol/V2/reference/smart-contracts/library#getamountsout\r\n) can be used by a frontend to calculate a fair value for USDC / RNBW:\r\n\r\n> Given an input asset amount and an array of token addresses calculates all subsequent maximum output token amounts by calling getReserves for each pair of token addresses in the path in turn, and using these to call getAmountOut.\r\n> \r\n> Useful for calculating optimal token amounts before calling swap.\r\n\r\n**References**\r\n\r\n[Uniswap V2 Documentation: Implement a Swap](https://docs.uniswap.org/protocol/V2/guides/smart-contract-integration/trading-from-a-smart-contract)\r\n\r\n[DEFI Sandwich Attack Explaination](https://medium.com/coinmonks/defi-sandwich-attack-explain-776f6f43b2fd)\r\n\r\n[Rapid Rise of MEV in Ethereum](https://medium.com/etherscan-blog/rapid-rise-of-mev-in-ethereum-9bcb62e53517)",
"closed_at": null,
"comments": 0,
"comments_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1/comments",
"created_at": "2021-10-22T08:15:36Z",
"events_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1/events",
"html_url": "https://github.com/akiratechhq/review-xave-lending-market-2021-10/issues/1",
"id": 1033305835,
"labels": [
{
"color": "667788",
"default": false,
"description": null,
"id": 3475632699,
"name": "Report",
"node_id": "LA_kwDOGQeFgs7PKfI7",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Report"
},
{
"color": "FF9500",
"default": false,
"description": null,
"id": 3475632774,
"name": "Medium",
"node_id": "LA_kwDOGQeFgs7PKfKG",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/labels/Medium"
}
],
"labels_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1/labels{/name}",
"locked": false,
"milestone": null,
"node_id": "I_kwDOGQeFgs49lv7r",
"number": 1,
"performed_via_github_app": null,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1/reactions"
},
"repository_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10",
"state": "open",
"state_reason": null,
"timeline_url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1/timeline",
"title": "`Treasury.buybackRnbw()` is vulnerable to price manipulation attacks",
"updated_at": "2024-03-20T07:43:36Z",
"url": "https://api.github.com/repos/akiratechhq/review-xave-lending-market-2021-10/issues/1",
"user": {
"avatar_url": "https://avatars.githubusercontent.com/u/342638?v=4",
"events_url": "https://api.github.com/users/andreiashu/events{/privacy}",
"followers_url": "https://api.github.com/users/andreiashu/followers",
"following_url": "https://api.github.com/users/andreiashu/following{/other_user}",
"gists_url": "https://api.github.com/users/andreiashu/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/andreiashu",
"id": 342638,
"login": "andreiashu",
"node_id": "MDQ6VXNlcjM0MjYzOA==",
"organizations_url": "https://api.github.com/users/andreiashu/orgs",
"received_events_url": "https://api.github.com/users/andreiashu/received_events",
"repos_url": "https://api.github.com/users/andreiashu/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/andreiashu/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/andreiashu/subscriptions",
"type": "User",
"url": "https://api.github.com/users/andreiashu"
}
}
],
"person_days": "15",
"project_name": "Xave Lending Market",
"review_period": "2 weeks",
"source_repository": "[email protected]:akiratechhq/review-xave-lending-market-2021-10.git",
"template": "./Readme.md.mustache"
}