1a:["$","div",null,{"className":"animate-pageappear fill-mode-forwards min-h-[calc(100vh-theme(spacing.footer-height))] pb-[60px]","children":[["$","$L25",null,{"audit":{"id":"9af61bf7-2239-4c48-b520-b5adf52d1745","name":"31Third","description":"$26","conductedAt":1679875200000,"reportType":"web","reportUrl":"https://certificate.quantstamp.com/full/31-third/d11ac960-91e8-49c2-9cb3-c44e11e442f9/index.html","issues":[{"id":"76bad9db-dce6-4a53-b3a7-754b40070a73","status":"not_fixed","name":"Deflationary Tokens Are Not Supported","description":"Some tokens can implement hooks or fee systems that get executed when transferred. That means that the amount pulled by the smart contract (calling `transferFrom()`) and the actual amount increased to the balance are not the same. Handling the accounting of these tokens can be complex and can lead to unexpected behavior.\n

\n31Third is not compatible with these tokens. This is a usual approach in many major DeFi protocols by design and not a security issue.\n

\nIn `_claimAndApproveFromToken()` the following condition is checked following the transfer of funds from the caller:\n\n```\nif (fromBalanceAfter < fromBalanceBefore + _trade.fromAmount) {\n revert NotEnoughClaimed(_trade, _trade.fromAmount, fromBalanceAfter - fromBalanceBefore);\n }\n```\n\nIf a token was being used that takes a fee on transfer, the trade would always revert.","severity":"low"},{"id":"d28719b1-3bce-43fe-a324-32e47323a655","status":"not_fixed","name":"Missing Input Validation","description":"It is vital to validate inputs to avoid human error, even if they only come from trusted addresses. The following functions do not have a proper validation of input parameters:\n1. qs-badge-fixed `BatchTrade.batchTrade()` accepts trades with the same asset in `from` and `to` fields.\n2. qs-badge-fixed `ExchangeAdapterRegistry.addAdapter()` should check that `name` is not an empty string.\n3. qs-badge-mitigated Fees are calculated with a constant denominator of `10000`, however, the assignment of `maxFeeBasisPoints` does not consider this constant denominator when it is being assigned. This could lead to a scenario where `maxFeeBasisPoints` either meets or exceeds `10000`.\n4. qs-badge-fixed `updateFeeRecipient()` and `updateBasisPoints()` do not check that the new value being assigned is actually different than the existing one. This could lead to unnecessary transaction costs.","severity":"low"},{"id":"ea641fff-fd4f-4299-a2f0-6efdb92ba2ff","status":"not_fixed","name":"No Lower Bound for `maxFeeBasisPoints`","description":"The `reduceMaxBasisPoints()` allows the maximum fee to be set to a lower value. It is important to note that once the maximum fee limit is reduced, it cannot be raised again. If for some reason, the maximum fee was set to zero, it would be impossible to charge fees for trades.","severity":"low"},{"id":"b6fea0d0-ec03-4c81-9082-52ff98d77a18","status":"not_fixed","name":"Privileged Roles and Ownership","description":"$27","severity":"low"},{"id":"e2b9f755-00b1-434b-b868-b57455635c8a","status":"not_fixed","name":"Unchecked Return Data Received From Exchange","description":"The `BatchTrade.batchTrade()` function allows a user to pass in arbitrary call data to be executed on an exchange contract. The function invoked on the exchange contract may return data which is collected as shown below:\n\n```\n (bool targetSuccess, bytes memory result) = _target.call{value: _value}(\n _data\n );\n```\n\nHowever, no validation is done on the `result` data obtained. The only action taken is to log the data in an event upon trade failure: `emit TradeFailedReason(**msg.sender**, _trade.from, _trade.to, result);`. Depending on the data returned from the exchange, it may be worth performing validation checks upon the return data. This validation would be specific to the exchange, and so would likely belong on the appropriate adapter contract.","severity":"low"},{"id":"3b2ca254-8b35-4e96-9c36-eb1c57e6d6cf","status":"not_fixed","name":"Untraceable Contract Events","description":"Events should be emitted when the contract state changes. The following functions in `BatchTrade` do not emit events:\n\n- `updateFeeRecipient()`\n- `updateBasisPoints()`\n- `reduceMaxBasisPoints()`\n- `addFeelessWallet()`\n- `removeFeelessWallet()`\n- `receiveFees()`","severity":"low"},{"id":"19f8deae-fdb2-4132-9df4-eb346f81cdb0","status":"fixed","name":"User Can Pass Any Calldata","description":"31Third is highly dependant on external exchanges. As external exchanges can add or remove functionalities, the 31Third team should be very careful when adding new exchanges and stay updated about possible vulnerabilities in these systems.\n

\nWhen users call `BatchTrade.batchTrade()`, they can pass call data for a swap that differs from what is specified in the `Trade` struct. For example, if a user is trading using the 0x adapter, the actual call data sent to the 0x contract could target any available function. This could result in the user being able to call unintended functions in external contracts that could in turn drain `BatchTrade` of any funds held within.","severity":"high"},{"id":"d49ab91f-f3fb-46c3-b235-07752ab2e267","status":"fixed","name":"Arbitrary Call Data to Exchange Can Circumvent Fee Collection","description":"The batch trade functionality builds upon the 0x exchange in order to perform each trade in the batch. The 0x protocol supports the submitter of the order to be different from the actual taker in the case of both [limit orders](https://protocol.0x.org/en/latest/basics/orders.html#limit-orders) and [RFQ orders](https://protocol.0x.org/en/latest/basics/orders.html#rfq-orders). Since the `batchTrade` function allows the user to pass arbitrary call data for the 0x swap, the user can easily specify within the order that the `taker` address which receives the result from the trade is different from the `spender`. Since the attacker can specify their own address as the `taker` they can receive the result of the trade directly and avoid paying the fees. In order to subvert the token balance checks within the `BatchTrade` contract, the attacker can use their own custom attack tokens as described in the attack scenario.","severity":"medium"},{"id":"b430ece0-24f8-4d75-8883-71b4ba69512a","status":"fixed","name":"Inflation Of Approvals Through Failed Trades","description":"The `BatchTrade.batchTrade()` function might not revert on a failed trade if `_batchTradeConfig.revertOnError ` is set to `false`. This lack of reversion may result in some undesirable state changes persisting. Of particular concern is that token approvals to the exchange spender contract are not reset.\n\nDuring a trade, the function `_claimAndApproveFromToken()` is called, which transfers the input tokens for the swap, as well as approves the exchange spender to spend these tokens as shown below:\n\n```\nIERC20(_trade.from).safeIncreaseAllowance(\n _exchangeAdapter.getSpender(),\n _trade.fromAmount\n);\n```\n\nThe approval above is not reversed if the trade fails and could potentially be exploited in subsequent transactions. Furthermore, failed trades could be repeatedly executed in order to repeatedly increase the allowance above without resetting it.\n","severity":"medium"},{"id":"993479e2-015b-43ff-b5a1-218a778f65e0","status":"fixed","name":"Amount Received Is Lower than `Trade.minToReceive`","description":"A trader might reasonably expect that they would receive at least `Trade.minToReceive` from a trade. However, the actual minimum amount received by the user is actually `Trade.minToReceive - fees`. This is because the check involving `Trade.minToReceive` is performed immediately after the trade, as shown below:\n```\nif (toBalanceAfterTrade < toBalanceBeforeTrade + _trade.minToReceive) {\n revert NotEnoughReceived(_trade, _trade.minToReceive, toBalanceAfterTrade - toBalanceBeforeTrade);\n}\n```\n\nThe fees are then subtracted from the amount received from the swap, leaving the resulting amount to be potentially less than `Trade.minToReceive`.","severity":"low"},{"id":"3f688692-61c8-4cf0-93ba-aafbc5999cab","status":"fixed","name":"Incorrect Use of ERC-20 Approvals","description":"When transferring ERC20 tokens, approvals are only needed when the caller of the transfer is **not** the source address of the transfer. The following instances incorrectly use `IERC20.safeIncreaseAllowance()` to approve `BatchTrade` for transferring tokens out of `BatchTrade`:\n1. `receiveFees()`\n2. `_approveAndReturnToken()`\n3. `_returnClaimedOnError()`","severity":"low"},{"id":"4e66aa0f-da51-46fc-8f0d-7ccf3fecc68c","status":"fixed","name":"Inflationary/Yield Bearing Tokens Are Locked Forever","description":"The `BatchToken` contract collects fees as a portion of the tokens received for each trade. The contract imposes no restrictions as to which tokens can be traded. Thus it is quite possible that inflationary or yield-bearing tokens could be collected as fees. One example of an inflationary token is `stETH`. If `stETH` is collected as fees for the contract, the contract's balance of `stETH` will grow over time, even if no more fees in `stETH` are collected. However, the increased balance will not be extractible since the fee amount is recorded at the time the fee was collected and stored in the contract, as shown below:\n```\nfeeAmount = (_receivedAmount * feeBasisPoints) / 10000;\nif (feeAmount > 0) {\n accruedFees[_token] += feeAmount;\n}\n```\n\nThus the `stETH` yield will remain locked in the contract forever.","severity":"low"},{"id":"8fece9bf-d9c9-4889-aa67-37b061b3b46d","status":"fixed","name":"Ownership Can Be Renounced","description":"If the owner renounces their ownership, all contracts inheriting from `Ownable` will be left without an owner. Consequently, any function guarded by the `onlyOwner` modifier will no longer be able to be executed.\n

\nAdditionally, if ownership were to be revoked, the contracts would lose crucial functionality such as activating or deactivating the batch trading, modifying fees, feeless wallets, and fee recipients, as well as modifying the adapters used in the batch trading.","severity":"low"},{"id":"00969385-40e0-4d22-8980-632f73cfa926","status":"fixed","name":"Trades Can Be Executed with a Zero Value for `_minToReceive`","description":"31Third relies on the 0x protocol for zero slippage. However, in the instance where an erroneous `Trade` struct is passed to `batchTrade()`, with a `_minToReceive` specified as zero, the trade will still execute normally. This could potentially lead to a loss of user funds, as `from` tokens will be received, but not `to` tokens.","severity":"low"},{"id":"c1d60b32-851b-4f33-9bc0-304682a9e165","status":"fixed","name":"Zero Amount Transfers when Claiming Fees","description":"`BatchTrade.receiveFees()` does not check if the accrued fees for that asset are not zero. This can lead to zero-amount transfers.","severity":"low"}],"issuesCount":{"fixed":{"total":9,"low":6,"medium":2,"high":1,"critical":0},"not_fixed":{"total":6,"low":6,"medium":0,"high":0,"critical":0},"total":15},"auditor":{"name":"Quantstamp","slug":"quantstamp","auditorStatus":"active","profilePictureUrl":"https://uploads-bucket-production.s3.eu-west-1.amazonaws.com/profile-pictures/3ceaf212-b544-4f4e-b348-29badba7aa1f","tvs":{"total":74085466444,"average":330738689,"min":1,"max":37385443263},"auditsTotal":297,"contractsTotal":6630,"projectsCountByTag":{"analytics":4,"collectibles":3,"finance":96,"gaming":2,"security":2,"social":0,"wallet":2,"infrastructure":0,"privacy":0,"identity":0,"other":123,"total":224},"projectsCountByChain":{"ethereum":189,"polygon":39,"avalanche":12,"bnbchain":33,"arbitrum":44,"optimism":18,"fantom":7,"zksync":3,"base":23,"polygonZkEvm":3,"scroll":5,"blast":1,"starknet":0,"solana":17,"stellar":0,"sui":0,"tron":0,"injective":0,"ton":0,"plume":0,"peaq":0,"lukso":0,"mina":0,"astar":0,"vana":0,"fiveire":0,"zircuit":0,"total":224}},"project":{"name":"31Third","slug":"31third-1","domain":"31third.com","email":"contact@docs.31third.com","profilePictureUrl":"https://uploads-bucket-production.s3.eu-west-1.amazonaws.com/profile-pictures/0a26a416-8e0b-490c-9b64-27380cdee73f","tags":["finance"],"chains":["ethereum","polygon","optimism"],"links":{"website":"https://docs.31third.com"},"rekts":[],"auditorsCount":1,"totalValue":0,"issuesCount":{"fixed":{"total":2,"low":2,"medium":0,"high":0,"critical":0},"not_fixed":{"total":1,"low":1,"medium":0,"high":0,"critical":0},"total":3},"lastAuditDate":1714521600000,"lastAuditAuditorName":"Quantstamp"},"contracts":[{"type":"offChainPrivate","name":"contracts/trading/ExchangeAdapterRegistry.sol"},{"type":"offChainPrivate","name":"contracts/trading/IExchangeAdapter.sol"},{"type":"offChainPrivate","name":"contracts/trading/adapter/WETHAdapter.sol"},{"type":"offChainPrivate","name":"contracts/trading/BatchTrade.sol"},{"type":"offChainPrivate","name":"contracts/trading/adapter/ZeroExExchangeAdapter.sol"}],"contractsCountByChain":{"ethereum":0,"polygon":0,"avalanche":0,"bnbchain":0,"arbitrum":0,"optimism":0,"fantom":0,"zksync":0,"base":0,"polygonZkEvm":0,"scroll":0,"blast":0,"starknet":0,"solana":0,"stellar":0,"sui":0,"tron":0,"injective":0,"ton":0,"plume":0,"peaq":0,"lukso":0,"mina":0,"astar":0,"vana":0,"fiveire":0,"zircuit":0,"offChainPublic":0,"offChainPrivate":5,"total":5},"extra":{"requestId":"aaae6dbd-4478-4631-80ef-bb711bb03b55"}}}],"$L28"]}]