Try   HackMD

Quant Exchange - Halborn Report Response

(HAL-01) Floating Pragma

All the relevant contracts are now fixed to a 0.5.17 version pragma: 3cbe3ad .

(HAL-02) Experimental Features Enabled

As the bug report article states "The 0.5.7 release contains the fixes to all bugs explained in this blog post", and we're now using a fixed 0.5.17 solidity version, which includes fixes for the bug in question.

(HAL-03) Gas Optimization on the Divide Ceil Calculation

We implemented the recommended gas optimization on commit 251440b.

(HAL-04) Lack of Integer Underflow Protection

The missing integer underlow protection on MixinProtocolFees was added on commit bb4257a.

(HAL-05) Lack of Zero Address Check

Missing zero address checks added on commit 9037c9f.

(HAL-06) Usage of assert

The assert clause in MixinSignatureValidator is justified because if the internal _validateHashSignatureTypes function were called with an invalid signature type, that would classify as an internal error.

The assert on MixinWrapperFunctions also checks for an internal error on the return data length for a delegatecall to the Exchange contract itself (which inherits from MixinWrapperFunctions).

(HAL-07) Missing Event Emitting

Missing events on the OrderChecker contract were added on commit a9c92db.

(HAL-08) Lack of Oracle Return Value Check

The missing return value check was added on commit e6f34aa.

(HAL-09) Lack of Oracle Status Check

When calculating fees, the status of the oracle for the underlying asset in question is now checked and it needs to be active: 2fdb31f.

Last changed by 
0xca11.eth
0
321

Read more

Rolla Order Protocol - Halborn Report Response

(HAL-01) LACK OF TRANSFEROWNERSHIP PATTERN Transfer-accept ownership pattern implemented in commit 52ccfde (HAL-02) THE CALLER CAN NOT SPECIFY THRESHOLD TO SPECIFY BOUNDS FOR THE TRADE SUCCEEDING Since the trade is with a counterparty, and there is no scope for the order amount to change since it's submitted by the taker, the order will either fail or succeed depending on the taker amount passed as a parameter. This can be calculated up front without needing to pass in a slippage tolerance or any bounds. In the case of a partial fill, the amount can also be calculated up front. (HAL-03) POSSIBLE ROUNDING ERROR CAN CAUSE TO ADDITIONAL ASSET TAKE OVER Rounding is done to favor the maker. For fees, rounding is done to favor the user. (HAL-04) USE OF ECRECOVER IS SUSCEPTIBLE TO SIGNATURE MALLEABILITY

Feb 25, 2022
Quant Protocol - Halborn Report Response

(HAL-01) Vulnerable TimelockController Contract As recommended by Halborn, we updated the TimelockController contract to use the revised timelock contract from version 3.4.2-solc-0.7 of the OpenZepellin contracts, which included a fix to the vulnerability reported by Halborn. The changes were added at the following commit: 1550fd9. (HAL-02) Misuse of an Oracle We acknowledge and understand the recommendation given by Halborn to check if the latest price data returned by a Chainlink oracle is recent. Still, since that method is only a utility to be used by our app's UI, we decided not to add the suggested checks because we want the UI always to get some price data to display, even if it's a bit stale. In conclusion, the reported issue doesn't affect any critical contract functionality.

Oct 13, 2021
Read more from 0xca11.eth
Published on HackMD