Organization
- @Infrared-Finance
Engagement Type
Spearbit Web3
Period
-
Repositories
N/A
Findings
Informational
2 findings
2 fixed
0 acknowledged
Informational2 findings
Minor improvements to code and comments
State
Severity
- Severity: Informational
Submitted by
MiloTruck
Context: See below.
Description/Recommendation:
-
InfraredV1_5.sol#L7-L9 - The
ErrorsandUUPSUpgradeableimports are unused and can be removed. -
RewardsLib.sol#L434 - Typo, "infarred" -> `Infrared"
-
RewardsLib.sol#L146 - Typo,
recepientshould berecipient.
Recommendation: Fixed in commit e786416.
Cantina: Verified.
InfraredV1_5.claimExternalVaultRewards() allows anyone to claim rewards on a user's behalf
Severity
- Severity: Informational
Submitted by
MiloTruck
Context: InfraredV1_5.sol#L23-L26
Description:
InfraredV1_5.claimExternalVaultRewards()does not perform any access control checks onmsg.sender. This allows anyone to claim BGT rewards on behalf of any user, as long as that user has set theInfraredV1_5contract as its operator in a vault.While this does not cause any issues as the iBGT rewards claimed are still sent to the user, it exposes unnecessary risk to the contract.
Recommendation:
Consider including access control in
claimExternalVaultRewards(). For example, only allow the function to be called by the protocol's keeper through theonlyKeepermodifier, which would be consistent with reward functionality in previous versions (e.g.claimBGTIncentives()inInfraredV1_4).Recommendation: Fixed in commit 69019f8.
Cantina: Verified.