stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Low Findings

pronobis4

Summary

Low Risk Issues

Issue Instances
L‑1 Missing gas limit for external call 1
L‑2 Loss of precision 1
L‑3 Lack of contract existence checks before low-level calls 1
L‑4 Owner can renounce Ownership 7
L‑5 Use Ownable2Step instead of Ownable 3
13

Low Risk Issues

[L‑1] Missing gas limit for external call

There is no specified limit on the amount of gas used, allowing the recipient to consume all remaining gas, potentially causing a revert. Hence, when invoking an external contract, it is advisable to provide an explicit gas limit.

Total instances: 1

// File: contracts/core/ccip/WrappedTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/WrappedTokenBridge.sol
//@audit: _transferTokens
183: (bool success, ) = _sender.call{value: msg.value - fees}("");

GitHub: 183

[L‑2] Loss of precision

Division by large numbers may result in the result being zero, due to solidity not supporting fractions. Consider requiring a minimum amount for the numerator to ensure that it is always larger than the denominator

Total instances: 1

// File: contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol
84: : (tokenBalance * reSDLSupplyByChain[chainSelector]) / totalRESDL;

GitHub: 84

[L‑3] Lack of contract existence checks before low-level calls

Low-level calls return success even when there is no code located at the specified address. Alongside the zero-address checks, introduce an additional verification step to ensure that <address>.code.length > 0.

Total instances: 1

// File: contracts/core/ccip/WrappedTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/WrappedTokenBridge.sol
//@audit: _sender
183: (bool success, ) = _sender.call{value: msg.value - fees}("");

GitHub: 183

[L‑4] Owner can renounce Ownership

Typically, the contract’s owner is the account that deploys the contract. As a result, the owner is able to perform certain privileged activities.

The Openzeppelin’s Ownable used in this project contract implements renounceOwnership. This can represent a certain risk if the ownership is renounced for any other reason than by design. Renouncing ownership will leave the contract without an owner, thereby removing any functionality that is only available to the owner.

Total instances: 7

// File: contracts/core/sdlPool/SDLPoolPrimary.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/sdlPool/SDLPoolPrimary.sol
11: contract SDLPoolPrimary is SDLPool {

GitHub: 11

// File: contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol
11: contract SDLPoolCCIPControllerPrimary is SDLPoolCCIPController {

GitHub: 11

// File: contracts/core/ccip/RESDLTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/RESDLTokenBridge.sol
16: contract RESDLTokenBridge is Ownable {

GitHub: 16

// File: contracts/core/ccip/WrappedTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/WrappedTokenBridge.sol
19: contract WrappedTokenBridge is Ownable, CCIPReceiver {

GitHub: 19

// File: contracts/core/RewardsInitiator.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/RewardsInitiator.sol
16: contract RewardsInitiator is Ownable {

GitHub: 16

// File: contracts/core/sdlPool/SDLPoolSecondary.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/sdlPool/SDLPoolSecondary.sol
11: contract SDLPoolSecondary is SDLPool {

GitHub: 11

// File: contracts/core/ccip/SDLPoolCCIPControllerSecondary.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/SDLPoolCCIPControllerSecondary.sol
14: contract SDLPoolCCIPControllerSecondary is SDLPoolCCIPController {

GitHub: 14

[L‑5] Use Ownable2Step instead of Ownable

Ownable2Step
and Ownable2StepUpgradeable prevent the contract ownership from mistakenly being transferred to an address that cannot handle it (e.g. due to a typo in the address), by requiring that the recipient of the owner permissions actively accept via a contract call of its own.

Total instances: 3

// File: contracts/core/ccip/RESDLTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/RESDLTokenBridge.sol
16: contract RESDLTokenBridge is Ownable {

GitHub: 16

// File: contracts/core/ccip/WrappedTokenBridge.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/ccip/WrappedTokenBridge.sol
19: contract WrappedTokenBridge is Ownable, CCIPReceiver {

GitHub: 19

// File: contracts/core/RewardsInitiator.sol
// https://github.com/Cyfrin/2023-12-stake-link/blob/main/contracts/core/RewardsInitiator.sol
16: contract RewardsInitiator is Ownable {

GitHub: 16

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

ownable-2step

have a 2-step owner transfer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.