QA Report

[howlbot-integration]

See the markdown file with the details of this report here.

[af-afk]

[QA-01] Pool still remains disabled after initialization requiring 2-step setup process

We're happy with this behaviour currently. We think it makes sense in the context with how the initial price and costing could be abused.

[QA-02] Missing ownership check in grant_position function allows unauthorized position transfers

Could we have some extra context if this is an issue in its application? It's true that the function behaves like this, but it's privately used in the codebase, and it's our understanding that these callers enforce correct checks.

[QA-03] Zero-liquidity position creation allows for storage exhaustion attack

We recognise that this is potentially an issue, but we don't perceive it is likely to happen in practice. Even with a small amount, someone could create a position, supply some liquidity, remove it, and do all this in the same function, with the only cost a greater gas profile. A better architectural decision would be to move the position ID behaviour into a per pool basis, but we don't believe that in practice someone will grief this function to that extent.

[QA-04] Duplicate U256 type imports

We should change this. Thankfully for us this is the same implementation.

[QA-05] mul_mod overflow check only active in debug mode

We would appreciate some evidence under which circumstances this could cause an issue.

[alex-ppg]

While QA reports are not eligible for rewards on this contest, I believe this QA report is acceptable and thus merits an A rating.

[c4-judge]

alex-ppg marked the issue as grade-a

[thebrittfactor]

C4 Staff have added the selected for report label in order to assign report IDs, but will also include in the final report for completeness.