Merge pull request #36 from RedDuck-Software/fix/audit-fixes

Fix/audit fixes
RedDuck-Software · Jan 9, 2024 · 2004f60 · 2004f60
2 parents eea1ee9 + 05a89d0
commit 2004f60
Show file tree

Hide file tree

Showing 28 changed files with 2,723 additions and 106 deletions.
diff --git a/.solhint.json b/.solhint.json
@@ -12,6 +12,7 @@
     "modifier-name-mixedcase": "error",
     "private-vars-leading-underscore": "error",
     "var-name-mixedcase": "error",
-    "imports-on-top": "error"
+    "imports-on-top": "error",
+    "no-empty-blocks": "off"
   }
 }
diff --git a/config/constants/addresses.ts b/config/constants/addresses.ts
@@ -46,6 +46,7 @@ export const midasAddressesPerNetwork: ConfigPerNetwork<
 };
 
 export const getCurrentAddresses = (hre: HardhatRuntimeEnvironment) => {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   return (midasAddressesPerNetwork as any)[hre.network.name] as
     | MidasAddresses
     | undefined;

diff --git a/contracts/DepositVault.sol b/contracts/DepositVault.sol
@@ -74,6 +74,8 @@ contract DepositVault is ManageableVault, IDepositVault {
         uint256 _minAmountToDepositInEuro,
         address _usdReceiver
     ) external initializer {
+        require(_eurUsdDataFeed != address(0), "zero address");
+
         __ManageableVault_init(_ac, _mTBILL, _usdReceiver);
         minAmountToDepositInEuro = _minAmountToDepositInEuro;
         eurUsdDataFeed = IDataFeed(_eurUsdDataFeed);
@@ -83,6 +85,8 @@ contract DepositVault is ManageableVault, IDepositVault {
      * @inheritdoc IDepositVault
      * @dev transfers `tokenIn` from `msg.sender`
      * to `tokensReceiver`
+     * @param tokenIn address of token to deposit.
+     * @param amountUsdIn amount of token to deposit in 10**18 decimals.
      */
     function deposit(address tokenIn, uint256 amountUsdIn)
         external

diff --git a/contracts/abstract/ManageableVault.sol b/contracts/abstract/ManageableVault.sol
@@ -71,6 +71,9 @@ abstract contract ManageableVault is Greenlistable, Pausable, IManageableVault {
         address _mTBILL,
         address _tokensReceiver
     ) internal onlyInitializing {
+        require(_mTBILL != address(0), "zero address");
+        require(_tokensReceiver != address(0), "zero address");
+
         mTBILL = IMTbill(_mTBILL);
         __Greenlistable_init(_ac);
         __Pausable_init(_ac);

diff --git a/contracts/access/MidasAccessControl.sol b/contracts/access/MidasAccessControl.sol
@@ -33,11 +33,12 @@ contract MidasAccessControl is
      */
     function grantRoleMult(bytes32[] memory roles, address[] memory addresses)
         external
-        onlyRole(DEFAULT_ADMIN_ROLE)
     {
         require(roles.length == addresses.length, "MAC: mismatch arrays");
+        address sender = msg.sender;
 
         for (uint256 i = 0; i < roles.length; i++) {
+            _checkRole(getRoleAdmin(roles[i]), sender);
             _grantRole(roles[i], addresses[i]);
         }
     }
@@ -51,11 +52,12 @@ contract MidasAccessControl is
      */
     function revokeRoleMult(bytes32[] memory roles, address[] memory addresses)
         external
-        onlyRole(DEFAULT_ADMIN_ROLE)
     {
         require(roles.length == addresses.length, "MAC: mismatch arrays");
+        address sender = msg.sender;
 
         for (uint256 i = 0; i < roles.length; i++) {
+            _checkRole(getRoleAdmin(roles[i]), sender);
             _revokeRole(roles[i], addresses[i]);
         }
     }

diff --git a/contracts/access/Pausable.sol b/contracts/access/Pausable.sol
@@ -24,6 +24,7 @@ abstract contract Pausable is WithMidasAccessControl, PausableUpgradeable {
      * @dev upgradeable pattern contract`s initializer
      * @param _accessControl MidasAccessControl contract address
      */
+    // solhint-disable-next-line func-name-mixedcase
     function __Pausable_init(address _accessControl) internal onlyInitializing {
         __WithMidasAccessControl_init(_accessControl);
     }

diff --git a/contracts/access/WithMidasAccessControl.sol b/contracts/access/WithMidasAccessControl.sol
@@ -47,6 +47,7 @@ abstract contract WithMidasAccessControl is
         internal
         onlyInitializing
     {
+        require(_accessControl != address(0), "zero address");
         accessControl = MidasAccessControl(_accessControl);
     }
 

diff --git a/contracts/feeds/DataFeed.sol b/contracts/feeds/DataFeed.sol
@@ -21,6 +21,11 @@ contract DataFeed is WithMidasAccessControl, IDataFeed {
      */
     AggregatorV3Interface public aggregator;
 
+    /**
+     * @dev healty difference between `block.timestamp` and `updatedAt` timestamps
+     */
+    uint256 private constant _HEALTHY_DIFF = 1 days;
+
     /**
      * @inheritdoc IDataFeed
      */
@@ -60,7 +65,14 @@ contract DataFeed is WithMidasAccessControl, IDataFeed {
         returns (uint80 roundId, uint256 answer)
     {
         uint8 decimals = aggregator.decimals();
-        (uint80 _roundId, int256 _answer, , , ) = aggregator.latestRoundData();
+        (uint80 _roundId, int256 _answer, , uint256 updatedAt, ) = aggregator
+            .latestRoundData();
+        require(_answer > 0, "DF: feed is deprecated");
+        require(
+            // solhint-disable-next-line not-rely-on-time
+            block.timestamp - updatedAt <= _HEALTHY_DIFF,
+            "DF: feed is unhealthy"
+        );
         roundId = _roundId;
         answer = uint256(_answer).convertToBase18(decimals);
     }

diff --git a/contracts/mTBILL.sol b/contracts/mTBILL.sol
@@ -12,17 +12,6 @@ import "./access/Blacklistable.sol";
  */
 //solhint-disable contract-name-camelcase
 contract mTBILL is ERC20PausableUpgradeable, Blacklistable, IMTbill {
-    /**
-     * @notice default terms url metadata encoded key
-     */
-    bytes32 public constant TERMS_URL_METADATA_KEY = keccak256("urls.terms");
-
-    /**
-     * @notice default encoded key for description url metadata
-     */
-    bytes32 public constant DESCRIPTION_URL_METADATA_KEY =
-        keccak256("urls.description");
-
     /**
      * @notice metadata key => metadata value
      */

diff --git a/contracts/mocks/AggregatorV3DeprecatedMock.sol b/contracts/mocks/AggregatorV3DeprecatedMock.sol
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.9;
+
+import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20PausableUpgradeable.sol";
+import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";
+
+import "../access/WithMidasAccessControl.sol";
+import "../libraries/DecimalsCorrectionLibrary.sol";
+import "../interfaces/IDataFeed.sol";
+
+contract AggregatorV3DeprecatedMock is AggregatorV3Interface {
+    int256 private _latestRoundData;
+    uint80 private _latestRoundId;
+
+    function decimals() external view returns (uint8) {
+        return 8;
+    }
+
+    function description() external view returns (string memory) {}
+
+    function version() external view returns (uint256) {}
+
+    function setRoundData(int256 _data) external {
+        _latestRoundData = _data;
+        _latestRoundId++;
+    }
+
+    function getRoundData(uint80 _roundId)
+        external
+        view
+        returns (
+            uint80 roundId,
+            int256 answer,
+            uint256 startedAt,
+            uint256 updatedAt,
+            uint80 answeredInRound
+        )
+    {}
+
+    function latestRoundData()
+        external
+        view
+        returns (
+            uint80 roundId,
+            int256 answer,
+            uint256 startedAt,
+            uint256 updatedAt,
+            uint80 answeredInRound
+        )
+    {
+        // solhint-disable-next-line not-rely-on-time
+        return (_latestRoundId, -1, 0, block.timestamp, 0);
+    }
+}
diff --git a/contracts/mocks/AggregatorV3Mock.sol b/contracts/mocks/AggregatorV3Mock.sol
@@ -9,8 +9,8 @@ import "../libraries/DecimalsCorrectionLibrary.sol";
 import "../interfaces/IDataFeed.sol";
 
 contract AggregatorV3Mock is AggregatorV3Interface {
-    int256 _latestRoundData;
-    uint80 _latestRoundId;
+    int256 private _latestRoundData;
+    uint80 private _latestRoundId;
 
     function decimals() external view returns (uint8) {
         return 8;
@@ -48,6 +48,7 @@ contract AggregatorV3Mock is AggregatorV3Interface {
             uint80 answeredInRound
         )
     {
-        return (_latestRoundId, _latestRoundData, 0, 0, 0);
+        // solhint-disable-next-line not-rely-on-time
+        return (_latestRoundId, _latestRoundData, 0, block.timestamp, 0);
     }
 }
diff --git a/contracts/mocks/AggregatorV3UnhealthyMock.sol b/contracts/mocks/AggregatorV3UnhealthyMock.sol
@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.9;
+
+import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20PausableUpgradeable.sol";
+import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";
+
+import "../access/WithMidasAccessControl.sol";
+import "../libraries/DecimalsCorrectionLibrary.sol";
+import "../interfaces/IDataFeed.sol";
+
+contract AggregatorV3UnhealthyMock is AggregatorV3Interface {
+    int256 private _latestRoundData;
+    uint80 private _latestRoundId;
+
+    function decimals() external view returns (uint8) {
+        return 8;
+    }
+
+    function description() external view returns (string memory) {}
+
+    function version() external view returns (uint256) {}
+
+    function setRoundData(int256 _data) external {
+        _latestRoundData = _data;
+        _latestRoundId++;
+    }
+
+    function getRoundData(uint80 _roundId)
+        external
+        view
+        returns (
+            uint80 roundId,
+            int256 answer,
+            uint256 startedAt,
+            uint256 updatedAt,
+            uint80 answeredInRound
+        )
+    {}
+
+    function latestRoundData()
+        external
+        view
+        returns (
+            uint80 roundId,
+            int256 answer,
+            uint256 startedAt,
+            uint256 updatedAt,
+            uint80 answeredInRound
+        )
+    {
+        return (
+            _latestRoundId,
+            _latestRoundData,
+            0,
+            // solhint-disable-next-line not-rely-on-time
+            block.timestamp - 2 days,
+            0
+        );
+    }
+}