Aura Finance contest - sorrynotsorry's results

QA (LOW & NON-CRITICAL)

• Floating Pragma used in Aura.sol, AuraBalRewardPool.sol, AuraClaimZap.sol, AuraMath.sol, AuraMerkleDrop.sol, AuraMinter.sol, AuraPenaltyForwarder.sol, AuraStakingProxy.sol, AuraVestedEscrow.sol, BalLiquidityProvider.sol, ClaimFeesHelper.sol, ExtraRewardsDistributor.sol. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma (i.e. by not using ^) helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively. Reference

• The whole project have different solidity compiler ranges ( 0.6.12 - 0.8.11) referenced. This leads to potential security flaws between deployed contracts depending on the compiler version chosen for any particular file. It also greatly increases the cost of maintenance as different compiler versions have different semantics and behavior.

• The project uses Solidity version 0.6.12. Using an old version prevents access to new Solidity security checks. However the current version is 0.8.14 with more benefits and less bugs.

• The project uses deprecated safeApprove in AuraBalRewardPool.sol, AuraClaimZap.sol, AuraLocker.sol, AuraMerkleDrop.sol, AuraPenaltyForwarder.sol, AuraStakingProxy.sol, AuraVestedEscrow.sol, BalLiquidityProvider.sol, CrvDepositorWrapper.sol, BaseRewardPool4626.sol, Booster.sol, CrvDepositor.sol, VoterProxy.sol Link

• transfer and safeTransfer methods are used inside the codebase. Since these methods use 2300 gas stipend which is not adjustable, it may likely to get broken when calling a contract's fallback function. Reference Link -1, Reference Link -2

• The distributeOther() function can be re-entered by fake tokens or tokens with callbacks. Reference