From 36e7067c93aba78d437f19d74c9009cffd6c2192 Mon Sep 17 00:00:00 2001 From: think-in-universe <46699230+think-in-universe@users.noreply.github.com> Date: Thu, 7 Jul 2022 14:34:37 +0800 Subject: [PATCH] audit: auditing comments --- contracts/ref-ve/src/account.rs | 3 +++ contracts/ref-ve/src/storage_impl.rs | 2 ++ 2 files changed, 5 insertions(+) diff --git a/contracts/ref-ve/src/account.rs b/contracts/ref-ve/src/account.rs index e99a990..526798f 100644 --- a/contracts/ref-ve/src/account.rs +++ b/contracts/ref-ve/src/account.rs @@ -30,6 +30,8 @@ pub struct Account { #[serde(skip_serializing)] pub proposals: HashMap, /// Record expired proposal voting info + /// [Audit] Suggestion: proposal history can be queried from TheGraph if proposal events are emitted, + /// so not necessary to save in contract state which introduces extra storage cost #[serde(skip_serializing)] pub proposals_history: UnorderedMap, #[serde(with = "u128_map_format")] @@ -87,6 +89,7 @@ impl Account { pub fn sub_reward(&mut self, token_id: &AccountId, amount: Balance) { if let Some(prev) = self.rewards.remove(token_id) { require!(amount <= prev, E101_INSUFFICIENT_BALANCE); + // [Audit] Suggestion: better use `remaining` as a variable name let remain = prev - amount; if remain > 0 { self.rewards.insert(token_id.clone(), remain); diff --git a/contracts/ref-ve/src/storage_impl.rs b/contracts/ref-ve/src/storage_impl.rs index b90fa23..509b9df 100644 --- a/contracts/ref-ve/src/storage_impl.rs +++ b/contracts/ref-ve/src/storage_impl.rs @@ -67,6 +67,8 @@ impl StorageManagement for Contract { self.internal_remove_account(&account_id); if account.sponsor_id != env::current_account_id(){ + // [Audit] Risk: If one account locked LPT, and unlocked after a while, he/she can call `storage_unregister` + // to receive storage refund even if he/she didn't run `storage_deposit` before Promise::new(account.sponsor_id).transfer(STORAGE_BALANCE_MIN_BOUND); } true