WagmiAutoStake Manual Review Findings

WAS-01M: Inexistent Validation of Previous Status

Description:

The whitelistProxy and dewhitelistProxy functions do not validate the previous status of the proxy in question, rendering the state transitions prone to corruption in case of a block-reorganization or incorrect transaction ordering.

Example:

Copy
676function whitelistProxy(address _proxy) external onlyOwner {
677    require(_proxy != address(0), 'zero address');
678    whitelistedProxies[_proxy] = true;
679    emit WhitelistedProxy(_proxy);
680}
681
682function dewhitelistProxy(address _proxy) external onlyOwner {
683    require(_proxy != address(0), 'zero address');
684    whitelistedProxies[_proxy] = false;
685    emit DewhitelistedProxy(_proxy);
686}

Recommendation:

We advise a require check to be introduced validating the previously set status of a proxy to ensure sane state transitions

Alleviation:

A require check was introduced ensuring that the state transition of a whitelist status is properly validated to only change rather than be re-assigned to the same value.

WAS-02M: Usage of Deprecated Function

Description:

The safeApprove implementation has been deprecated and can cause complication in case of complex deployment systems, such as create2 ones that can deploy under the same address.

Example:

Copy
662constructor(
663    IERC20 _wagmi,
664    IWagmiEarn _wagmiEarn,
665    uint256 _stakingPid,
666    address _treasury
667) {
668    wagmi = _wagmi;
669    wagmiEarn = _wagmiEarn;
670    stakingPid = _stakingPid;
671    treasury = _treasury;
672
673    IERC20(_wagmi).safeApprove(address(_wagmiEarn), type(uint256).max);
674}

Recommendation:

We advise the usage of approve directly as the maximum value of uint256 is set as the approval of the contract.

Alleviation:

The usage of safeApprove was properly substituted with the standard approve function.