dvilelaf · DavidMinarsch · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024
diff --git a/audits/README.md b/audits/README.md
@@ -3,5 +3,6 @@ The first internal audit is located in this folder: [internal audit](https://git
 The second internal audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal2).
 The third audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal3).
 The fourth audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal4).
-The latest audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal5).
+The fifth audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal5).
+The latest audit is located in this folder: [internal audit](https://github.com/dvilelaf/meme-ooorr/blob/main/audits/internal6).
 
diff --git a/audits/internal6/README.md b/audits/internal6/README.md
@@ -0,0 +1,71 @@
+# meme-ooorr
+The review has been performed based on the contract code in the following repository:<br>
+`https://github.com/dvilelaf/meme-ooorr` <br>
+commit: `c2d85cf3279c5a50b4367df75f03cb39106867b32` or `v0.2.0-internal-audit5` <br>
+
+## Objectives
+The audit focused on BBB* contracts <BR>
+
+## Issue
+### Medium: inf activity from nothing for UniswapPriceOracle.
+```
+mapAccountActivities[msg.sender]++;
+remove updatePrice or return false.
+
+    /// @dev Triggers oracle price update.
+    function updateOraclePrice() external {
+        // Record msg.sender activity
+        mapAccountActivities[msg.sender]++;
+
+        // Update price
+        bool success = IOracle(oracle).updatePrice();
+        require(success, "Oracle price update failed");
+
+        emit OraclePriceUpdated(oracle, msg.sender);
+    }
+        /// @dev Updates the time-weighted average price.
+    function updatePrice() external pure returns (bool) {
+        // Nothing to update; use built-in TWAP from Uniswap V2 pool
+        return true;
+    }
+```
+[]
+
+### Low - no checking fee. 
+```
+May lead to artificial activity through the withdrawal of zeros fee
+function _collectFees(address memeToken, uint256 positionId, bool isNativeFirst) internal {
+        (address token0, address token1) = isNativeFirst ? (nativeToken, memeToken) : (memeToken, nativeToken);
+
+        // Check current pool prices
+        IBuyBackBurner(buyBackBurner).checkPoolPrices(token0, token1, uniV3PositionManager, FEE_TIER);
+
+        IUniswapV3.CollectParams memory params = IUniswapV3.CollectParams({
+            tokenId: positionId,
+            recipient: address(this),
+            amount0Max: type(uint128).max,
+            amount1Max: type(uint128).max
+        });
+
+        // Get the corresponding tokens
+        (uint256 amount0, uint256 amount1) = IUniswapV3(uniV3PositionManager).collect(params);
+        //require(amount0 > 0 || amount1 > 0, "No rewards");
+Improve:
+        (address token0, address token1) = isNativeFirst ? (nativeToken, memeToken) : (memeToken, nativeToken);
+
+    // Check position to ensure there are fees to collect
+    (, , , , , , , uint128 liquidity, uint256 feeGrowthInside0LastX128, uint256 feeGrowthInside1LastX128, , ) = IUniswapV3(uniV3PositionManager).positions(positionId);
+
+    require(liquidity > 0, "No liquidity in position");
+    require(feeGrowthInside0LastX128 > 0 || feeGrowthInside1LastX128 > 0, "No fees available to collect");
+
++
+    require(amount0 > 0 || amount1 > 0, "No rewards");
+```
+[]
+
+### Remove console.log in prod.
+```
+        console.log("tradePrice", tradePrice);
+```
+[]
diff --git a/contracts/BuyBackBurner.sol b/contracts/BuyBackBurner.sol
@@ -42,9 +42,7 @@ abstract contract BuyBackBurner {
     event ImplementationUpdated(address indexed implementation);
     event OwnerUpdated(address indexed owner);
     event OracleUpdated(address indexed oracle);
-    event MinBridgedAmountUpdated(uint256 minBridgedAmount);
     event BuyBack(uint256 olasAmount);
-    event BridgeAndBurn(uint256 olasAmount);
     event OraclePriceUpdated(address indexed oracle, address indexed sender);
 
     // Version number
@@ -66,30 +64,15 @@ abstract contract BuyBackBurner {
     address public nativeToken;
     // Oracle address
     address public oracle;
-    // L2 token relayer bridge address
-    address public l2TokenRelayer;
 
     // Oracle max slippage for ERC-20 native token <=> OLAS
     uint256 public maxSlippage;
-    // Minimum bridge amount
-    uint256 public minBridgedAmount;
     // Reentrancy lock
     uint256 internal _locked = 1;
 
     // Map of account => activity counter
     mapping(address => uint256) public mapAccountActivities;
 
-    /// @dev Bridges OLAS amount back to L1 and burns.
-    /// @param olasAmount OLAS amount.
-    /// @param tokenGasLimit Token gas limit for bridging OLAS to L1.
-    /// @param bridgePayload Optional additional bridge payload.
-    /// @return leftovers msg.value leftovers if partially utilized by the bridge.
-    function _bridgeAndBurn(
-        uint256 olasAmount,
-        uint256 tokenGasLimit,
-        bytes memory bridgePayload
-    ) internal virtual returns (uint256 leftovers);
-
     /// @dev Buys OLAS on DEX.
     /// @param nativeTokenAmount Suggested native token amount.
     /// @return olasAmount Obtained OLAS amount.
@@ -213,23 +196,6 @@ abstract contract BuyBackBurner {
         emit OracleUpdated(newOracle);
     }
 
-    /// @dev Changes minimum OLAS bridge amount.
-    /// @param newMinBridgedAmount New minimum bridged amount.
-    function changeMinBridgedAmount(uint256 newMinBridgedAmount) external virtual {
-        // Check for the ownership
-        if (msg.sender != owner) {
-            revert OwnerOnly(msg.sender, owner);
-        }
-
-        // Check for the zero value
-        if (newMinBridgedAmount == 0) {
-            revert ZeroValue();
-        }
-
-        minBridgedAmount = newMinBridgedAmount;
-        emit MinBridgedAmountUpdated(newMinBridgedAmount);
-    }
-
     /// @dev Checks pool prices via Uniswap V3 built-in oracle.
     /// @param token0 Token0 address.
     /// @param token1 Token1 address.
@@ -274,6 +240,8 @@ abstract contract BuyBackBurner {
                 ((twapPrice - instantPrice) * 1e18) / twapPrice;
         }
 
+        console.log("deviation", deviation);
+        console.log("MAX_ALLOWED_DEVIATION", MAX_ALLOWED_DEVIATION);
         require(deviation <= MAX_ALLOWED_DEVIATION, "Price deviation too high");
     }
 
@@ -304,34 +272,6 @@ abstract contract BuyBackBurner {
         _locked = 1;
     }
 
-    /// @dev Bridges OLAS to Ethereum mainnet for burn.
-    /// @param tokenGasLimit Token gas limit for bridging OLAS to L1.
-    /// @param bridgePayload Optional additional bridge payload.
-    function bridgeAndBurn(uint256 tokenGasLimit, bytes memory bridgePayload) external virtual payable {
-        require(_locked == 1, "Reentrancy guard");
-        _locked = 2;
-
-        // Record msg.sender activity
-        mapAccountActivities[msg.sender]++;
-
-        uint256 olasAmount = IERC20(olas).balanceOf(address(this));
-        require(olasAmount >= minBridgedAmount, "Not enough OLAS to bridge");
-
-        // Bridge and burn OLAS
-        uint256 leftovers = _bridgeAndBurn(olasAmount, tokenGasLimit, bridgePayload);
-
-        // Send leftover amount, if any, back to the sender
-        if (leftovers > 0) {
-            // solhint-disable-next-line avoid-low-level-calls
-            (bool success, ) = tx.origin.call{value: leftovers}("");
-            require(success, "Leftovers transfer failed");
-        }
-
-        emit BridgeAndBurn(olasAmount);
-
-        _locked = 1;
-    }
-
     /// @dev Triggers oracle price update.
     function updateOraclePrice() external {
         // Record msg.sender activity

diff --git a/contracts/BuyBackBurnerArbitrum.sol b/contracts/BuyBackBurnerArbitrum.sol
diff --git a/contracts/BuyBackBurnerBase.sol b/contracts/BuyBackBurnerBase.sol
@@ -28,65 +28,22 @@ interface IBalancer {
     external payable returns (uint256);
 }
 
-// Bridge interface
-interface IBridge {
-    /// @dev Initiates a withdrawal from L2 to L1 to a target account on L1.
-    /// @param l2Token Address of the L2 token to withdraw.
-    /// @param to Recipient account on L1.
-    /// @param amount Amount of the L2 token to withdraw.
-    /// @param minGasLimit Minimum gas limit to use for the transaction.
-    /// @param extraData Extra data attached to the withdrawal.
-    function withdrawTo(address l2Token, address to, uint256 amount, uint32 minGasLimit, bytes calldata extraData) external;
-}
-
 // ERC20 interface
 interface IERC20 {
     /// @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
     /// @param spender Account address that will be able to transfer tokens on behalf of the caller.
     /// @param amount Token amount.
     /// @return True if the function execution is successful.
     function approve(address spender, uint256 amount) external returns (bool);
-
-    /// @dev Gets the amount of tokens owned by a specified account.
-    /// @param account Account address.
-    /// @return Amount of tokens owned.
-    function balanceOf(address account) external view returns (uint256);
 }
 
 /// @title BuyBackBurnerBase - BuyBackBurner implementation contract for Base
 contract BuyBackBurnerBase is BuyBackBurner {
-    // Token transfer gas limit for L1
-    // This is safe as the value is practically bigger than observed ones on numerous chains
-    uint32 public constant TOKEN_GAS_LIMIT = 300_000;
-
     // Balancer vault address
     address public balancerVault;
     // Balancer pool Id
     bytes32 public balancerPoolId;
 
-    /// @dev Bridges OLAS amount back to L1 and burns.
-    /// @param olasAmount OLAS amount.
-    /// @param tokenGasLimit Token gas limit for bridging OLAS to L1.
-    /// @return leftovers msg.value leftovers if partially utilized by the bridge.
-    function _bridgeAndBurn(
-        uint256 olasAmount,
-        uint256 tokenGasLimit,
-        bytes memory
-    ) internal virtual override returns (uint256 leftovers) {
-        // Approve bridge to use OLAS
-        IERC20(olas).approve(l2TokenRelayer, olasAmount);
-
-        // Check for sufficient minimum gas limit
-        if (tokenGasLimit < TOKEN_GAS_LIMIT) {
-            tokenGasLimit = TOKEN_GAS_LIMIT;
-        }
-
-        // Bridge OLAS to mainnet to get burned
-        IBridge(l2TokenRelayer).withdrawTo(olas, OLAS_BURNER, olasAmount, uint32(tokenGasLimit), "0x");
-
-        leftovers = msg.value;
-    }
-
     /// @dev Performs swap for OLAS on DEX.
     /// @param nativeTokenAmount Native token amount.
     /// @return olasAmount Obtained OLAS amount.
@@ -108,13 +65,11 @@ contract BuyBackBurnerBase is BuyBackBurner {
     /// @param payload Initializer payload.
     function _initialize(bytes memory payload) internal override virtual {
         address[] memory accounts;
-        (accounts, balancerPoolId, maxSlippage, minBridgedAmount) =
-            abi.decode(payload, (address[], bytes32, uint256, uint256));
+        (accounts, balancerPoolId, maxSlippage) = abi.decode(payload, (address[], bytes32, uint256));
 
         olas = accounts[0];
         nativeToken = accounts[1];
         oracle = accounts[2];
-        l2TokenRelayer = accounts[3];
-        balancerVault = accounts[4];
+        balancerVault = accounts[3];
     }
 }