Audit 0.2.1 (ref-finance#38)

* audit fix; * disable instant swap on interface; * near-SDK upgrade to 3.1.0 Co-authored-by: marco_mac <[email protected]>
SigismundSchlomo · Aug 18, 2021 · 3ca2214 · 3ca2214
1 parent 532596b
commit 3ca2214
Show file tree

Hide file tree

Showing 19 changed files with 348 additions and 128 deletions.
diff --git a/ref-exchange/Cargo.toml b/ref-exchange/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "ref-exchange"
-version = "0.2.1"
+version = "1.0.0"
 authors = ["Illia Polosukhin <[email protected]>"]
 edition = "2018"
 publish = false
@@ -9,10 +9,10 @@ publish = false
 crate-type = ["cdylib", "rlib"]
 
 [dependencies]
-near-sdk = { git = "https://github.com/near/near-sdk-rs", rev = "9d99077" }
-near-contract-standards = { git = "https://github.com/near/near-sdk-rs", rev = "9d99077" }
 uint = { version = "0.9.0", default-features = false }
+near-sdk = "3.1.0"
+near-contract-standards = "3.1.0"
 
 [dev-dependencies]
-near-sdk-sim = { git = "https://github.com/near/near-sdk-rs", rev = "9d99077" }
+near-sdk-sim = "3.1.0"
 test-token = { path = "../test-token" }
diff --git a/ref-exchange/build_docker.sh b/ref-exchange/build_docker.sh
@@ -22,7 +22,7 @@ docker create \
 fi
 
 docker start $NAME
-docker exec -it $NAME /bin/bash -c "rustup target add wasm32-unknown-unknown; cargo build --target wasm32-unknown-unknown --release"
+docker exec -it $NAME /bin/bash -c "rustup toolchain install stable-2020-10-08; rustup default stable-2020-10-08; rustup target add wasm32-unknown-unknown; cargo build --target wasm32-unknown-unknown --release"
 
 mkdir -p res
 cp $DIR/../target/wasm32-unknown-unknown/release/ref_exchange.wasm $DIR/../res/ref_exchange_release.wasm

diff --git a/ref-exchange/rust-toolchain b/ref-exchange/rust-toolchain
diff --git a/ref-exchange/src/account_deposit.rs b/ref-exchange/src/account_deposit.rs
@@ -10,8 +10,10 @@ use near_sdk::{assert_one_yocto, env, near_bindgen, AccountId, Balance, PromiseR
 use crate::utils::{ext_self, GAS_FOR_FT_TRANSFER};
 use crate::*;
 
+// [AUDIT_01]
 const MAX_ACCOUNT_LENGTH: u128 = 64;
-const MIN_ACCOUNT_DEPOSIT_LENGTH: u128 = MAX_ACCOUNT_LENGTH + 16 + 4;
+const MAX_ACCOUNT_BYTES: u128 = MAX_ACCOUNT_LENGTH + 4;
+const MIN_ACCOUNT_DEPOSIT_LENGTH: u128 = 1 + MAX_ACCOUNT_BYTES + 16 + 4;
 
 /// Account deposits information and storage cost.
 #[derive(BorshSerialize, BorshDeserialize, Default, Clone)]
@@ -41,15 +43,22 @@ impl Account {
         self.tokens.insert(token.clone(), value - amount);
     }
 
+    // [AUDIT_01]
     /// Returns amount of $NEAR necessary to cover storage used by this data structure.
     pub fn storage_usage(&self) -> Balance {
-        (MIN_ACCOUNT_DEPOSIT_LENGTH + self.tokens.len() as u128 * (MAX_ACCOUNT_LENGTH + 16))
+        (MIN_ACCOUNT_DEPOSIT_LENGTH + self.tokens.len() as u128 * (MAX_ACCOUNT_BYTES + 16))
             * env::storage_byte_cost()
     }
 
     /// Returns how much NEAR is available for storage.
     pub fn storage_available(&self) -> Balance {
-        self.near_amount - self.storage_usage()
+        // [AUDIT_01] avoid math overflow
+        let locked = self.storage_usage();
+        if self.near_amount > locked {
+            self.near_amount - locked
+        } else {
+            0
+        }
     }
 
     /// Asserts there is sufficient amount of $NEAR to cover storage usage.

diff --git a/ref-exchange/src/action.rs b/ref-exchange/src/action.rs
@@ -46,13 +46,15 @@ pub enum ActionResult {
     /// No result.
     None,
     /// Amount of token was received.
-    Amount(Balance),
+    /// [AUDIT_02]
+    Amount(U128),
 }
 
 impl ActionResult {
     pub fn to_amount(self) -> Balance {
         match self {
-            ActionResult::Amount(result) => result,
+            // [AUDIT_02]
+            ActionResult::Amount(result) => result.0,
             _ => env::panic(ERR41_WRONG_ACTION_RESULT.as_bytes()),
         }
     }

diff --git a/ref-exchange/src/errors.rs b/ref-exchange/src/errors.rs
@@ -14,13 +14,17 @@ pub const ERR22_NOT_ENOUGH_TOKENS: &str = "E22: not enough tokens in deposit";
 pub const ERR24_NON_ZERO_TOKEN_BALANCE: &str = "E24: non-zero token balance";
 pub const ERR25_CALLBACK_POST_WITHDRAW_INVALID: &str =
     "E25: expected 1 promise result from withdraw";
-pub const ERR26_ACCESS_KEY_NOT_ALLOWED: &str = "E26: access key not allowed";
+// [AUDIT_05]
+// pub const ERR26_ACCESS_KEY_NOT_ALLOWED: &str = "E26: access key not allowed";
+pub const ERR27_DEPOSIT_NEEDED: &str = 
+    "E27: attach 1yN to swap tokens not in whitelist";
 
 // Liquidity operations.
 
 pub const ERR31_ZERO_AMOUNT: &str = "E31: adding zero amount";
 pub const ERR32_ZERO_SHARES: &str = "E32: minting zero shares";
-
+// [AUDIT_07]
+pub const ERR33_TRANSFER_TO_SELF: &str = "E33: transfer to self";
 // Action result.
 
 pub const ERR41_WRONG_ACTION_RESULT: &str = "E41: wrong action result type";