Omniscia WagmiDAO Audit
WagmiBond Manual Review Findings
WagmiBond Manual Review Findings
WBD-01M: Improper Ratio Precision Validation
Type | Severity | Location |
---|---|---|
Input Sanitization | Minor | WagmiBond.sol:L489, L497 |
Description:
The linked require
checks improperly validate the value of _ratioPrecision
as it should at all times be greater-than-or-equal-to (>=
) the wagmiPerPrincipal
value.
Example:
493function setRatio(uint256 _wagmiPerPrincipal, uint256 _ratioPrecision) external onlyOwner {494 emit RatioChanged(wagmiPerPrincipal, _wagmiPerPrincipal, ratioPrecision, _ratioPrecision);495 require(_wagmiPerPrincipal != 0, 'ratio cant be zero');496 wagmiPerPrincipal = _wagmiPerPrincipal;497 require(_ratioPrecision != 0, 'precision cant be zero');498 ratioPrecision = _ratioPrecision;499}500
501function addWagmiToPay(uint256 amount) external {502 IERC20(wagmi).safeTransferFrom(msg.sender, address(this), amount);503 wagmiAvailableToPay += amount;504 505 emit WagmiAdded(amount);506}507
508function deposit(uint256 amount) external returns (uint256) {509 uint256 payout;510 if(wagmiPerPrincipal != 0)511 payout = amount * wagmiPerPrincipal / ratioPrecision;
Recommendation:
We advise this to be enforced by adjusting the linked require
statements to apply such validation.
Alleviation:
The _ratioPrecision
value is now properly sanitized according to our recommendation.
WBD-02M: Improper Vesting Block Management
Type | Severity | Location |
---|---|---|
Input Sanitization | Minor | WagmiBond.sol:L485, L486 |
Description:
The value of vestingBlocks
should be an adjustable value as its mutability indicates and should also be above a particular threshold at all times to ensure a minimum time duration has passed between a bond's creation and maturity to avoid arbitrage opportunities from manifesting.
Example:
455uint256 public vestingBlocks;456uint256 public wagmiPerPrincipal;457uint256 public ratioPrecision;458
459struct UserInfo {460 uint256 remainingPayout;461 uint256 remainingVestingBlocks;462 uint256 lastInteractionBlock;463}464mapping(address => UserInfo) public userInfo;465
466event WagmiAdded(uint256 amount);467event Deposit(address indexed user, uint256 amount, uint256 payout);468event Claim(address indexed user, uint256 payout, bool staked);469event RatioChanged(uint256 oldWagmiPerPrincipal, uint256 newWagmiPerPrincipal, uint256 oldRatioPrecision, uint256 newRatioPrecision);470
471constructor ( 472 address _wagmi,473 address _principal,474 address _treasury,475 address _staking,476 uint256 _vestingBlocks, 477 uint256 _wagmiPerPrincipal,478 uint256 _ratioPrecision479) {480 require(_wagmi != address(0) && _principal != address(0) && _treasury != address(0) && _staking != address(0), 'zero address');481 wagmi = _wagmi;482 principal = _principal;483 treasury = _treasury;484 staking = _staking;485 require(_vestingBlocks > 0, 'zero vesting');486 vestingBlocks = _vestingBlocks;487 require(_wagmiPerPrincipal != 0, 'ratio cant be zero');488 wagmiPerPrincipal = _wagmiPerPrincipal;489 require(_ratioPrecision != 0, 'precision cant be zero');490 ratioPrecision = _ratioPrecision;491}
Recommendation:
We advise a setter function to be created for the variable and an additional sanitization step based on a contract-level constant
to be applied to both setter statements ensuring arbitrage opportunities cannot be created by misconfiguration of the contract.
Alleviation:
The WagmiDAO team opted to retain the current behaviour in place as it conforms with their design specifications.
WBD-03M: Usage of Deprecated Function
Type | Severity | Location |
---|---|---|
Standard Conformity | Minor | WagmiBond.sol:L555 |
Description:
The safeApprove
implementation has been deprecated and can cause complication in case of complex deployment systems, such as create2
ones that can deploy under the same address.
Example:
554if(autoStake) {555 IERC20(wagmi).safeApprove(staking, payout);556 IAutoStake(staking).deposit(msg.sender, payout);557} else {
Recommendation:
We advise either the usage of safeIncreaseAllowance
or approve
directly as the approval is immediately consumed after being set.
Alleviation:
The usage of safeApprove
was properly substituted with the standard approve
function.