Juicebox V2 contest - robee's results

Lines of code

https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBTokenStore.sol#L438

Vulnerability details

There are ERC20 tokens that charge fee for every transfer() / transferFrom().

Vault.sol#addValue() assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. But, the actual transferred amount can be lower for those tokens. Therefore it's recommended to use the balance change before and after the transfer instead of the amount. This way you also support the tokens with transfer fee - that are popular.

Code instance:

    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBTokenStore.sol#L438

Must approve 0 first

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Code instances:

approve without approving 0 first JBERC20PaymentTerminal.sol, 98, IERC20(token).approve(_to, _amount);

approve without approving 0 first JBETHERC20SplitsPayer.sol, 492, IERC20(_token).approve(address(_split.allocator), _splitAmount);

Does not validate the input fee parameter

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    JBChainlinkV3PriceFeed.constructor (_feed)
    JBPrices.addFeedFor (_feed)

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in JBERC20PaymentTerminal.sol line 98: IERC20(token).approve(_to, _amount);
    Deprecated safeApprove in JBETHERC20SplitsPayer.sol line 492: IERC20(_token).approve(address(_split.allocator), _splitAmount);

Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    JBToken.sol
    IJBToken.sol

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBETHERC20SplitsPayer.sol#L478
    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBToken.sol#L190

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    JBSingleTokenPaymentTerminalStore.sol.recordPaymentFrom _beneficiary
    JBToken.sol.transfer _to
    JBToken.sol.approve _spender

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.
    
    

Code instances:

    JBTokenStore.sol.changeFor _newOwner
    JBETHERC20SplitsPayerDeployer.sol.deploySplitsPayer _owner
    JBETHERC20ProjectPayerDeployer.sol.deployProjectPayer _owner
    JBProjects.sol.createFor _owner

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    JBSingleTokenPaymentTerminalStore.sol, recordPaymentFrom
    JBController.sol, issueTokenFor
    JBFundingCycleStore.sol, _deriveStartFrom
    JBFundingCycleStore.sol, currentOf

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBETHERC20SplitsPayer.sol#L205
    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBDirectory.sol#L211
    https://github.com/code-423n4/juice-contracts-v2-code4rena/tree/main/contracts/JBProjects.sol#L162

approve return value is ignored

Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value. We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens. The list of occurrences in format (solidity file, line number, actual line)

Code instances:

JBERC20PaymentTerminal.sol, 98, IERC20(token).approve(_to, _amount);

JBETHERC20SplitsPayer.sol, 492, IERC20(_token).approve(address(_split.allocator), _splitAmount);

transfer return value of a general ERC20 is ignored

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

1. Check the transfer return value Another popular possibility is to add a whiteList. Those are the appearances (solidity file, line number, actual line):

Code instances:

    JBERC20PaymentTerminal.sol, 87 (_transferFrom), ? IERC20(token).transfer(_to, _amount)
    JBERC20PaymentTerminal.sol, 88 (_transferFrom), : IERC20(token).transferFrom(_from, _to, _amount);

Unnecessary cast

Code instances:

    int256 JBController.sol._reservedTokenAmountFrom - unnecessary casting int256(_processedTokenTracker)
    address JBETHERC20SplitsPayer.sol.pay - unnecessary casting address(_token)
    address JBETHERC20SplitsPayer.sol.addToBalanceOf - unnecessary casting address(_token)

Use unchecked to save gas for certain additive calculations that cannot overflow

You can use unchecked in the following calculations since there is no risk to overflow:

Code instances:

    JBFundingCycleStore.sol (L#588) - if ( _fundingCycle.duration > 0 && block.timestamp >= _fundingCycle.start + _fundingCycle.duration ) return 0; 
    JBFundingCycleStore.sol (L#633) - : block.timestamp - _baseFundingCycle.duration + 1; 
    JBReconfigurationBufferBallot.sol (L#77) - if (block.timestamp < _configured + duration) 
    JBFundingCycleStore.sol (L#632) - ? block.timestamp + 1
    JBFundingCycleStore.sol (L#602) - block.timestamp >= _baseFundingCycle.start + _baseFundingCycle.duration ) return 0; 

Consider inline the following functions to save gas

You can inline the following functions instead of writing a specific function to save gas.
(see https://github.com/code-423n4/2021-11-nested-findings/issues/167 for a similar issue.)

Code instances

    JBGlobalFundingCycleMetadataResolver.sol, setTerminalsAllowed, { return (_data & 1) == 1; }

Unnecessary equals boolean

Boolean variables can be checked within conditionals directly without the use of equality operators to true/false.

Code instance:

    JBDirectory.sol, 168: if (_terminalsOf[_projectId][_i] == _terminal) return true;

State variables that could be set immutable

In the following files there are state variables that could be set immutable to save gas.

Code instance:

    feed in JBChainlinkV3PriceFeed.sol

Unused state variables

Unused state variables are gas consuming at deployment (since they are located in storage) and are a bad code practice. Removing those variables will decrease deployment gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.

Code instances:

    JBOperations.sol, MIGRATE_TERMINAL
    JBOperations.sol, SET_CONTROLLER
    JBOperations.sol, PROCESS_FEES

Unused declared local variables

Unused local variables are gas consuming, since the initial value assignment costs gas. And are a bad code practice. Removing those variables will decrease the gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.

Code instances:

    JBETHERC20SplitsPayer.sol, _payTo, _payableValue
    JBETHERC20SplitsPayer.sol, _payTo, _data

Caching array length can save gas

Caching the array length is more gas efficient. This is because access to a local variable in solidity is more efficient than query storage / calldata / memory. We recommend to change from:

for (uint256 i=0; i<array.length; i++) { ... }

to:

uint len = array.length  
for (uint256 i=0; i<len; i++) { ... }

Code instances:

    JBOperatorStore.sol, _permissionIndexes, 85
    JBDirectory.sol, , 139
    JBController.sol, _fundAccessConstraints, 1014
    JBSingleTokenPaymentTerminalStore.sol, _terminals, 862
    JBSplitsStore.sol, _splits, 229
    JBOperatorStore.sol, _operatorData, 135

Prefix increments are cheaper than postfix increments

Prefix increments are cheaper than postfix increments. Further more, using unchecked {++x} is even more gas efficient, and the gas saving accumulates every iteration and can make a real change There is no risk of overflow caused by increamenting the iteration index in for loops (the ++i in for (uint256 i = 0; i < numIterations; ++i)). But increments perform overflow checks that are not necessary in this case. These functions use not using prefix increments (++x) or not using the unchecked keyword:

Code instances:

    change to prefix increment and unchecked: JBDirectory.sol, _i, 167
    change to prefix increment and unchecked: JBSplitsStore.sol, _i, 229
    change to prefix increment and unchecked: JBSplitsStore.sol, _i, 304
    change to prefix increment and unchecked: JBSplitsStore.sol, _i, 204
    change to prefix increment and unchecked: JBFundingCycleStore.sol, i, 724

Unnecessary index init

In for loops you initialize the index to start from 0, but it already initialized to 0 in default and this assignment cost gas. It is more clear and gas efficient to declare without assigning 0 and will have the same meaning:

Code instances:

    JBController.sol, 913
    JBSingleTokenPaymentTerminalStore.sol, 862
    JBETHERC20SplitsPayer.sol, 466
    JBSplitsStore.sol, 204

Unnecessary default assignment

Unnecessary default assignments, you can just declare and it will save gas and have the same meaning.

Code instance:

    JBProjects.sol (L#40) : uint256 public override count = 0; 

Use != 0 instead of > 0

Using != 0 is slightly cheaper than > 0. (see https://github.com/code-423n4/2021-12-maple-findings/issues/75 for similar issue)

Code instances:

    JBSingleTokenPaymentTerminalStore.sol, 589: change 'balance > 0' to 'balance != 0'
    JBSingleTokenPaymentTerminalStore.sol, 514: change 'balance > 0' to 'balance != 0'
    JBSingleTokenPaymentTerminalStore.sol, 834: change 'balance > 0' to 'balance != 0'
    JBFundingCycleStore.sol, 469: change '_weight > 0' to '_weight != 0'
    JBFundingCycleStore.sol, 364: change '_metadata > 0' to '_metadata != 0'