Omniscia Sovryn Audit
Masset Static Analysis Findings
Masset Static Analysis Findings
MAS-01S: Improper ERC-20 Transfers
| Type | Severity | Location |
|---|---|---|
| Standard Conformity | Minor | Masset.sol:L149, L217 |
Description:
The transferFrom and transfer invocations in the linked lines are done improperly so as they do not validate the return value they are meant to yield.
Example:
149IERC20(_basset).transferFrom(msg.sender, address(this), _bassetQuantity);Recommendation:
As not all ERC-20 tokens conform to the ERC-20 standard properly, we advise the usage of OpenZeppelin's SafeERC20 implementation that opportunistically evaluates the return value of the invocations to ensure that the transfers are performed sanely.
Alleviation:
The development team has acknowledged this exhibit but decided to not apply its remediation in the current version of the codebase.
MAS-02S: Inapplicacy of Checks-Effects-Interactions
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | Masset.sol:L209-L220 |
Description:
The _redeemTo function performs an outward transfer of tokens prior to burning the necessary _massetQuantity from the msg.sender..
Example:
209if(bridgeFlag) {210 address bridgeAddress = basketManager.getBridge(_basset);211 require(bridgeAddress != address(0), "invalid bridge");212 IERC20(_basset).approve(bridgeAddress, bassetQuantity);213 require(214 IBridge(bridgeAddress).receiveTokensAt(_basset, bassetQuantity, _recipient, bytes("")),215 "call to bridge failed");216} else {217 IERC20(_basset).transfer(_recipient, bassetQuantity);218}219
220token.burn(msg.sender, _massetQuantity);Recommendation:
We advise the order of actions to be reversed whereby the _massetQuantity is first burned before the bassetQuantity is transferred to conform to the Checks-Effects-Interactions security pattern given that a re-entrancy condition can materialize.
Alleviation:
The development team has acknowledged this exhibit but decided to not apply its remediation in the current version of the codebase.