JPEG'd contest - samruna's results

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/JPEG.sol#L20 Consider added valid check for the to address. The to address can be of a contract or another token or user. See below test code to replicate the behavior it("should return the correct JPEG balance", async () => { await controller.approveStrategy(token.address, strategy.address); await controller.setStrategy(token.address, strategy.address); await jpeg.mint(token.address, units(500)); --- the to address can be any address. expect(await controller.balanceOfJPEG(token.address)).to.equal(units(500)); });

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/yVault.sol#L115 setFarmingPool is declared public but not called from within the contract. Consider makin it external. Public visiility will persist the parameters which can incurr as fees.

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/yVault.sol#L35 The whitelistedContractMap is not necessary. It can be an address array. If contract is whitelisted, then add to array, if not, remove it. Removing the extra flag will save some space in the contract.

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/yVault.sol#L187 Function withdrawJPEG() seems duplicate of Controller.withdrawJPEG() and is not necessay. Remove the function or make it a utility.

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/yVault.sol#L61 Modifier noContract() is duplicated, can be abstracted out

https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/yVault.sol#L89 setContractWhitelisted is duplicated, can be abstracted out