Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for minor audit issues #116

Merged
merged 12 commits into from
Feb 28, 2025
Merged

Fixes for minor audit issues #116

merged 12 commits into from
Feb 28, 2025

Conversation

mihailo-maksa
Copy link
Contributor

@mihailo-maksa mihailo-maksa commented Feb 20, 2025
edited
Loading

Issues fixed in this PR:

  • Issue 3.12 – Bonding Curves Can Be Deployed With Empty Name
  • Issue 3.13 – Shortcomings of Administrator Management in BondingCurveRegistry
  • Issue 3.14 – Missing Events in BondingCurveRegistry
  • Issue 3.15 – Unnecessarily Tight Limits in LinearCurve
  • Issue 3.16 – Utilize Helper Functions More
  • Issue 3.17 – Issue an Event for Operation Execution
  • Issue 3.18 – Missing Inheritance From Interface
  • Issue 3.19 – Unused Import in BaseCurve
  • Issue 3.20 – Functions in Curve Contracts Could Be External Instead of Public
  • Issue 3.21 – Preview Functions in LinearCurve Could Be Simplified
  • Issue 3.22 – Unconventional Function Order in BaseCurve and Derived Contracts

@mihailo-maksa
fix for issue 3.12: enforce bonding curve name uniqueness and prevent…
374e498 
… empty string as a curve name
@mihailo-maksa
fix issue 3.13 by adding Ownable2StepUpgradeable from OpenZeppelin; f…
56b8c7e 
…ix deploy script
@mihailo-maksa
fix issue 3.14: Missing Events in BondingCurveRegistry
6bed45e
@mihailo-maksa
fix for issue 3.15: Unnecessarily Tight Limits in LinearCurve
ad5a58c
@mihailo-maksa
fix for issue 3.16 – Utilize Helper Functions More
9b02be5
@mihailo-maksa
fix for issue 3.17 – Issue an Event for Operation Execution
a7df338
@mihailo-maksa
fix for Issue 3.18 – Missing Inheritance From Interface
3da2e01
@mihailo-maksa
fix for Issue 3.19 – Unused Import in BaseCurve
c5b114e
@mihailo-maksa
fix for Issue 3.20 – Functions in Curve Contracts Could Be External I…
2b26498 
…nstead of Public
@mihailo-maksa
fix for Issue 3.21 – Preview Functions in LinearCurve Could Be Simpli…
e1e83ce 
…fied
@mihailo-maksa
fix for Issue 3.22 – Unconventional Function Order in BaseCurve and D…
77cabeb 
…erived Contracts
@github-actions GitHub Actions
Copy link

Summary of Test Results if Merged To Main:

  • Full logs & artifacts are available in the Actions tab
  • This comment will update automatically with new CI runs

✅ All 107 tests passed! (0 skipped, Total: 107)

Test Results for Merge

Test Suite Status Coverage Time
test/unit/EthMultiVault/BatchCreateAtom.t.sol 100% (2/2) 0.003s
test/unit/EthMultiVault/EmergencyReedemAtom.t.sol 100% (4/4) 0.003s
test/unit/EthMultiVault/AdminMultiVault.t.sol 100% (16/16) 0.006s
test/unit/EthMultiVault/BatchCreateTriple.t.sol 100% (4/4) 0.008s
test/unit/EthMultiVault/Approvals.t.sol 100% (2/2) 0.004s
test/unit/EthMultiVault/CreateTriple.t.sol 100% (6/6) 0.011s
test/unit/EthMultiVault/CreateAtom.t.sol 100% (6/6) 0.003s
test/unit/EthMultiVault/RedeemAtom.t.sol 100% (4/4) 0.003s
test/unit/EthMultiVault/DepositAtom.t.sol 100% (4/4) 0.005s
test/BaseTest.sol 100% (2/2) 0.011s
test/unit/EthMultiVault/RedeemAtomCurve.t.sol 100% (4/4) 0.004s
test/unit/EthMultiVault/RedeemTriple.t.sol 100% (5/5) 0.008s
test/unit/EthMultiVault/DepositAtomCurve.t.sol 100% (4/4) 0.016s
test/unit/EthMultiVault/RedeemTripleCurve.t.sol 100% (5/5) 0.010s
test/unit/EthMultiVault/DepositTriple.t.sol 100% (4/4) 0.015s
test/unit/EthMultiVault/DepositTripleCurve.t.sol 100% (4/4) 0.009s
test/unit/EthMultiVault/EmergencyRedeemTriple.t.sol 100% (5/5) 0.010s
test/unit/EthMultiVault/Helpers.t.sol 100% (4/4) 0.004s
test/unit/EthMultiVault/UseCases.t.sol 100% (6/6) 0.041s
test/unit/EthMultiVault/Profit.t.sol 100% (11/11) 0.022s

🔒 Security Analysis

⚠️ Found 1 High and 1 Medium severity issues

High Severity Issues

arbitrary-send-eth

Impact: AtomWallet._call(address,uint256,bytes) (src/AtomWallet.sol#214-221) sends eth to arbitrary user Dangerous calls: - (success,result) = target.call{value: value}(data) (src/AtomWallet.sol#215)

Affected Files:

  • src/AtomWallet.sol
View Detailed Findings
  • src/AtomWallet.sol:214 in _call

Medium Severity Issues

View Medium Severity Issues ##### incorrect-equality **Impact**: EthMultiVault._validateTimelock(bytes32) (src/EthMultiVault.sol#2215-2227) uses a dangerous strict equality: - timelock.readyTime == 0 (src/EthMultiVault.sol#2218)

Affected Files:

  • src/EthMultiVault.sol

  • src/EthMultiVault.sol:2215 in _validateTimelock

Recommended Actions

  1. Review and fix all high severity issues before deployment
  2. Implement thorough testing for affected components
  3. Consider additional security measures:
    • Access controls
    • Input validation
    • Invariant checks

⛽ Gas Analysis

📊 First gas snapshot created

@github-actions GitHub Actions
Copy link

Summary of Test Results if Merged To Main:

  • Full logs & artifacts are available in the Actions tab
  • This comment will update automatically with new CI runs

✅ All 107 tests passed! (0 skipped, Total: 107)

Test Results for Merge

Test Suite Status Coverage Time
test/unit/EthMultiVault/EmergencyReedemAtom.t.sol 100% (4/4) 0.003s
test/unit/EthMultiVault/CreateTriple.t.sol 100% (6/6) 0.007s
test/unit/EthMultiVault/AdminMultiVault.t.sol 100% (16/16) 0.008s
test/unit/EthMultiVault/RedeemAtom.t.sol 100% (4/4) 0.007s
test/unit/EthMultiVault/Approvals.t.sol 100% (2/2) 0.001s
test/unit/EthMultiVault/DepositAtom.t.sol 100% (4/4) 0.003s
test/BaseTest.sol 100% (2/2) 0.005s
test/unit/EthMultiVault/DepositAtomCurve.t.sol 100% (4/4) 0.004s
test/unit/EthMultiVault/RedeemAtomCurve.t.sol 100% (4/4) 0.007s
test/unit/EthMultiVault/BatchCreateAtom.t.sol 100% (2/2) 0.002s
test/unit/EthMultiVault/DepositTriple.t.sol 100% (4/4) 0.007s
test/unit/EthMultiVault/BatchCreateTriple.t.sol 100% (4/4) 0.011s
test/unit/EthMultiVault/DepositTripleCurve.t.sol 100% (4/4) 0.008s
test/unit/EthMultiVault/RedeemTriple.t.sol 100% (5/5) 0.017s
test/unit/EthMultiVault/CreateAtom.t.sol 100% (6/6) 0.005s
test/unit/EthMultiVault/EmergencyRedeemTriple.t.sol 100% (5/5) 0.008s
test/unit/EthMultiVault/RedeemTripleCurve.t.sol 100% (5/5) 0.022s
test/unit/EthMultiVault/Helpers.t.sol 100% (4/4) 0.006s
test/unit/EthMultiVault/UseCases.t.sol 100% (6/6) 0.063s
test/unit/EthMultiVault/Profit.t.sol 100% (11/11) 0.029s

🔒 Security Analysis

⚠️ Found 1 High and 1 Medium severity issues

High Severity Issues

arbitrary-send-eth

Impact: AtomWallet._call(address,uint256,bytes) (src/AtomWallet.sol#214-221) sends eth to arbitrary user Dangerous calls: - (success,result) = target.call{value: value}(data) (src/AtomWallet.sol#215)

Affected Files:

  • src/AtomWallet.sol
View Detailed Findings
  • src/AtomWallet.sol:214 in _call

Medium Severity Issues

View Medium Severity Issues ##### incorrect-equality **Impact**: EthMultiVault._validateTimelock(bytes32) (src/EthMultiVault.sol#2215-2227) uses a dangerous strict equality: - timelock.readyTime == 0 (src/EthMultiVault.sol#2218)

Affected Files:

  • src/EthMultiVault.sol

  • src/EthMultiVault.sol:2215 in _validateTimelock

Recommended Actions

  1. Review and fix all high severity issues before deployment
  2. Implement thorough testing for affected components
  3. Consider additional security measures:
    • Access controls
    • Input validation
    • Invariant checks

⛽ Gas Analysis

📊 First gas snapshot created

@auroter auroter merged commit 006fad2 into main Feb 28, 2025
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auroter auroter Awaiting requested review from auroter

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mihailo-maksa @auroter