Arbitrum re-audit comments

[![hackmd-github-sync-badge](https://hackmd.io/tdk5u4j5SOiRrCUSeB63yg/badge)](https://hackmd.io/tdk5u4j5SOiRrCUSeB63yg) ## Medium severity issues ### M01. Double accounting of the balance ##### Description In **GMDStrategy** and **GNSStrategy** contracts, the `_withdrawSome` function considers the balance of `want` tokens when calculating the amount of tokens to withdraw from the position: it subtracts the `want` balance from the amount to unstake. However, the following functions perform a duplicating subtraction of the `want` token balance: The `liquidatePosition` function passes the `_amountNeeded` - `_wantBal` value to the function. As a result, a user will lose the amount of tokens equal to the balance of want tokens on the contract. Also, the call will revert if the `_amountNeeded` value is less than . Note that the user might not lose tokens if they pass the correct parameter to the withdraw function of the vault contract; The `prepareReturn` function subtracts the balance of `want` from the value passed to the `_witdrawSome` function. #### Status : Fixed #### Comment : https://github.com/locus-finance/Vaults/pull/86 ### M02. Possible underflow ##### Description In **GMDStrategy** and **GNSStrategy** contracts, the expression `_amountNeeded - balanceOfWant()` in the `_withdrawSome` function might underflow if the returned value of the `balanceOfWant()` function is greater than the `_amountNeeded` value. Note that the balance could also become greater than the `_amountNeeded` after the `_sellRewards()` function is called. #### Status : Fixed #### Comment : https://github.com/locus-finance/Vaults/pull/86 ## Low severity issues ### L01. Gas consumption ##### Description **GMXStrategy** and **JOEStrategy** contracts perform consequential calls to the `decimals` function of the token contract (directly and in `Utils.scaleDecimals())` for every token conversion. We recommend hardcoding these values in the project or storing them as immutable variables to optimize gas consumption. #### Status : Acknowledged #### Comment : ### L02. Incorrect argument usage ##### Description In the **GMDStrategy** contract, consider replacing the a`address(want)` argument with WETH at the lines 180 and 194. #### Status : Fixed #### Comment : https://github.com/locus-finance/Vaults/pull/87 ### L03. Unused return value ##### Description In all strategies of the project, the returned value of the erc20 `approve` function is never used. #### Status : Fixed #### Comment : `40edc999313fedfbb6ed1e8ae32786e9d957019a` ### L04. Gas usage (commented) ##### Description In the `adjustPosition` function, the strategies perform a check to determine that the balance of `want` tokens is sufficient to cover `debtOutstanding` before doing any swaps of `want` tokens. However, if there is an insufficient balance to cover the `debtOutstanding`, it implies that no `want` will be swapped, and hence no tokens could be deposited. As a result, it is possible to return from the function in case of insufficient balance to save gas on external balance check calls. #### Status : Acknowledged #### Comment : If no `want` tokens were swapped, it is still possible that there are other tokens that could be used for opening a position. Therefore, we prefer not to return from the function even in the case when `want` balance is not enough to cover `debtOutstanding`. Balance checks on other tokens should be made first to ensure the correct investment flow of a strategy. ## Notes ### N01. Depeg of stablecoins ##### Description In the **JOEStrategy** contract, the price of the `USDC` token is assumed as 1 USD, which could be wrong in the case of the `USDC` depeg. #### Status : Acknowledged #### Comment : ### N02. Strategist reward that cannot be withdrawn (addressed) ##### Description The harvest function calls `vault.report` and it calls the `_assessFees` function, in which vault shares are sent to the strategy as a reward. They should generally belong to the owner of the strategy. However, the strategist will not be able to withdraw these tokens, and they get stuck in the strategy since there is no functionality to withdraw shares from the strategy. #### Status : Acknowledged #### Comment : The concept of Locus Finance does not imply the ownership of a strategy by an outside actor like a strategist. So the strategist’s reward will always be zero and will not be transferred to the strategy contract. #### Commits Audit Commit `86b37d91bd0b6d1613f13c668eeccab068080096` Final Commit `e2bd6811d1f875f66fa7f6d414c380fbec6f40e3`