Skip to content

doc: audit #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
8ball030 merged 1 commit into from
Jul 18, 2025
Merged

doc: audit #35

8ball030 merged 1 commit into from
Jul 18, 2025

Conversation

@77ph
Copy link
Collaborator

@77ph 77ph commented Jul 14, 2025

  • Internal audit

@77ph 77ph requested a review from 8ball030 July 14, 2025 09:06
8ball030
8ball030 reviewed Jul 14, 2025
View reviewed changes
audit/README.md
Sending native tokens to a contract changes the balance, but does not change the variables.
Not checked msg.value vs roundPoints[curRound].minDonation
I recommend removing the function if it has no other use or limiting it to the owner only.
```
Copy link
Contributor

@8ball030 8ball030 Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#37
Removed in

audit/README.md
### Low: No emit
```
No emit in withdrawIncentiveTokenBalance()
```
Copy link
Contributor

@8ball030 8ball030 Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 7f64736

audit/README.md
Before using other tokens, check their behavior on call approve(0).
Ref:
```
IToken(incentiveTokenAddress).approve(permit2, 0);
Copy link
Contributor

@8ball030 8ball030 Jul 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a problem?
Or can the current implementation be left as id like to basically add a new function to swap out the incentivised pool
Will this break other tokens?

Copy link
Collaborator Author

@77ph 77ph Jul 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. Just notes.
Perhaps such tokens exist where it is not allowed to do approve(0) - but I don't know any like that.

8ball030
8ball030 reviewed Jul 14, 2025
View reviewed changes
audit/README.md
### Medium: withdrawIncentiveTokenBalance()
You can't take away by owner what has already been promised for rewards and donations have already been made in round - 1.
```
uint256 claimRound = currentRound - 1;
Copy link
Contributor

@8ball030 8ball030 Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#38

Resolves

Also catches 2 more issues;

i) check promised prior to doning

ii) reentrency check;

#38

Copy link
Collaborator Author

@77ph 77ph Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point

8ball030
8ball030 reviewed Jul 18, 2025
View reviewed changes
audit/README.md
Confusing calculations. Actually the point is that if `roundToClaimed[claimRound][account] > 0` then you need to return 0.
```
uint256 amount = (donation * roundPoints[claimRound].availableRewards) / totalRoundDonations;
uint256 claimedAmount = roundToClaimed[claimRound][account];
Copy link
Contributor

@8ball030 8ball030 Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in;
#39

@8ball030 8ball030 merged commit 5e01783 into main Jul 18, 2025
1 check passed
@8ball030 8ball030 deleted the audit1 branch July 18, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@8ball030 8ball030 8ball030 left review comments

Assignees

@kupermind kupermind

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@77ph @8ball030 @kupermind