Set Protocol

Findings · 17

1. 1 Inline assembly is used to validate external contract calls Medium
2. 2 SetToken can reference itself as a component Informational
3. 3 SetToken components have limited upgradability Medium
4. 4 TimeLockUpgrade’s timeLockPeriod remains default post-deployment High
5. 5 Race condition in the ERC20 approve function may lead to token theft Medium
6. 6 Deployments and migrations require further testing High
7. 7 Whitelist validations are not consistently used Medium
8. 8 Inadequate data validation in price libraries could result in unexpected reverts Medium
9. 9 0x exchange wrapper cannot increase approval for relay fees Medium
10. 10 Current governance structure introduces counterparty risk Informational
11. 11 Component rebalance effectively pauses parent issuance Medium
12. 12 Solidity compiler optimizations can be dangerous Undetermined
13. 13 Insufficient validation of the rebalanceInterval parameter could produce a revert in the propose function Medium
14. 14 The ether quantity in the LogPayableExchangeRedeem event cannot be trusted Undetermined
15. 15 Insufficient input validation in ExchangeIssuanceModule functions Medium
16. 16 hasDuplicate runs out of gas when the input list is empty Medium
17. 17 executeExchangeOrders fails to properly validate repeated exchanges High

Findings extracted from the published report PDF. See the full report below for details and remediation.