Platform: Code4rena
Start Date: 20/06/2023
Pot Size: $36,500 USDC
Total HM: 2
Participants: 23
Period: 3 days
Judge: 0xean
Id: 252
League: ETH
Rank: 16/23
Findings: 1
Award: $226.82
🌟 Selected for report: 1
🚀 Solo Findings: 0
226.8203 USDC - $226.82
8 low issues and 2 non-critical found.
Params has two methods, one uses pointer and the other a value reciver. GoLang documentation recommends choosing either one or the other. (Arugments being consistency, readability and peformance) https://go.dev/doc/faq#methods_on_values_or_pointers
The Validate method is currently using a value receiever, this can be changed to a pointer without side affect (avoiding copying the struct on each call).
Change the Params from value to reference.
x/onboarding/keeper/params.go:L89 - func (p Params) Validate() error { + func (p *Params) Validate() error {
GoDoc paramater of soldTokenDenom on swap:calculateWithExactInput is not a function parameter, however there is a boughtTokenDenom parameter (which would be an inversion of the GoDoc description).
x/coinswap/keeper/swap.go:L33 - @param soldTokenDenom : received token's denom + @param boughtTokenDenom : demonination of token brought
GoDoc mehod comment for pool:GetPoolBalances does not describe the method correctly (it may be a copy, paste & edit error from the proceeding method in the file).
x/coinswap/keeper/pool.go:L69 - // GetPoolBalances return the liquidity pool by the specified anotherCoinDenom + // GetPoolBalances returns the coin balances of the liquidity pool by the specified address
EmitEvent is deprecated in favor of EmitTypedEvent https://pkg.go.dev/github.com/cosmos/cosmos-sdk/types@v0.45.9#EventManager.EmitEvent
x/onboarding/kepper/ibc_callbacks.go:L97-105 ctx.EventManager().EmitEvent( sdk.NewEvent( coinswaptypes.EventTypeSwap, sdk.NewAttribute(coinswaptypes.AttributeValueAmount, swappedAmount.String()), sdk.NewAttribute(coinswaptypes.AttributeValueSender, recipient.String()), sdk.NewAttribute(coinswaptypes.AttributeValueRecipient, recipient.String()), sdk.NewAttribute(coinswaptypes.AttributeValueIsBuyOrder, strconv.FormatBool(true)), sdk.NewAttribute(coinswaptypes.AttributeValueTokenPair, coinswaptypes.GetTokenPairByDenom(transferredCoin.Denom, swapCoins.Denom)), ),
Use EmitTypedEvent
There is no logging on the early return condition of no whitelisted channels found for the detaination channel.
Logging this return condition would provide a data point for observability, suporting system monitoring an issue diagnosis.
x/onboarding/kepper/ibc_callbacks.go:L56 +logger.Error("no whitelist channel found for %s",packet.DestinationChannel)
There is no logging on the early return condition when the recipient account is a module.
Logging this return condition would provide a data point for observability, suporting system monitoring an issue diagnosis.
x/onboarding/kepper/ibc_callbacks.go:L71 +logger.Error("recipient account is a module %s",account.GetAddress())
There is no logging on the early return condition when no ERC20 mapping is found for the denom.
Logging this return condition would provide a data point for observability, suporting system monitoring an issue diagnosis.
x/onboarding/kepper/ibc_callbacks.go:L120 +logger.Error("no ERC20 mapping found for %s",transferredCoin.Denom)
There is no logging on the early return condition when the trading pair is disabled.
Logging this return condition would provide a data point for observability, suporting system monitoring an issue diagnosis.
x/onboarding/kepper/ibc_callbacks.go:L127 +logger.Error("disabled trading pair with id %s",pairID)
The GoDoc for swap:TradeExactInputForOutput contain two parameters are not in the method signature and there are no likely matching candidates, these lines should be deleted as they'll only serve to sow confusion.
swap.go L68-69 @param sender: address of the sender @param receipt: address of the receiver
x/coinswap/keeper/swap.go:L68-69 -@param sender: address of the sender -@param receipt: address of the receiver
The GoDoc for swap:TradeInputForExactOutput contain two parameters are not in the method signature and there are no likely matching candidates, these lines should be deleted as they'll only serve to sow confusion.
swap.go L68-69 @param sender: address of the sender @param receipt: address of the receiver
x/coinswap/keeper/swap.go:L159-160 -@param sender : address of the sender -@param receipt : address of the receiver
#0 - c4-pre-sort
2023-06-24T19:54:36Z
JeffCX marked the issue as high quality report
#1 - tkkwon1998
2023-06-28T18:00:12Z
Really nice QA report
#2 - c4-sponsor
2023-06-28T18:00:29Z
tkkwon1998 marked the issue as sponsor confirmed
#3 - c4-judge
2023-07-02T00:50:34Z
0xean marked the issue as grade-a
#4 - c4-judge
2023-07-03T21:13:15Z
0xean marked the issue as selected for report
#5 - 0xean
2023-07-05T15:41:25Z
QA (Quality Assurance) Includes both Non-critical (code style, clarity, syntax, versioning, off-chain monitoring (events, etc) and Low risk (e.g. assets are not at risk: state handling, function incorrect as to spec, issues with comments). Excludes Gas optimizations, which are submitted and judged separately.
Based off the above from the c4 docs - I believe the following severities should be modified.
L-1 - NC L-4 - NC L-5 - NC L-6 - NC L-7 - NC L-8 - NC