Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QuantStamp Audit: QSP-2 - Treasury and its setter #154

Closed
ongrid opened this issue Nov 18, 2020 · 1 comment · Fixed by #233
Closed

QuantStamp Audit: QSP-2 - Treasury and its setter #154

ongrid opened this issue Nov 18, 2020 · 1 comment · Fixed by #233
Assignees
@ongrid
Labels
documentation Improvements or additions to documentation polishing Style improvements
Milestone
RC3

Comments

@ongrid
Copy link
Contributor

ongrid commented Nov 18, 2020

QuantStamp security assessment of v0.1.0-rc.1 raised the following security issue:

Issue: QSP-2

Short Descr. Unresolved TODOs in code
Severity Low Risk
Files affected DePool.sol

Description

On L351, there is the comment: // TODO a separate vault. As of now, the function getInsuranceFund returns the same address as getTreasury.

Further, the treasury address is not part of the initialization and there is currently no way to update it. A setter function should be introduced for the treasury address. Similarly, the insurance fund address is not part of the initialization and there is currently no way to update it. A setter function should be introduced for the insurance fund address.

Steps to mitigate

  • Add treasury addresses setter and corresponding docs and initializers
  • Analyze the codebase for presence of //Todo, fixme and other IDE tags
@ongrid ongrid added documentation Improvements or additions to documentation polishing Style improvements labels Nov 18, 2020
@ongrid ongrid added this to the RC3 milestone Nov 18, 2020
@ongrid ongrid self-assigned this Nov 18, 2020
@ongrid ongrid changed the title QuantStamp Audit: QSP-2 - Unresolved TODOs in code QuantStamp Audit: QSP-2 - Treasury and its setter Nov 30, 2020
@ongrid ongrid mentioned this issue Nov 30, 2020
Closed
@skozin skozin linked a pull request Dec 7, 2020 that will close this issue
Treasury insurance setters #233
Merged
@ujenjt
Copy link
Member

ujenjt commented Dec 15, 2020

Fixed in #233

@ujenjt ujenjt closed this as completed Dec 15, 2020
tamtamchik added a commit that referenced this issue Sep 30, 2024
@tamtamchik
Merge pull request #154 from lidofinance/feat/contributing
d64a0f3 
docs: contributing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ongrid ongrid

Labels
documentation Improvements or additions to documentation polishing Style improvements
Projects
None yet
Milestone
RC3
Development

Successfully merging a pull request may close this issue.

Treasury insurance setters lidofinance/core
2 participants
@ujenjt @ongrid