Audit Fixes QS-11

contracts/Farm.sol

@@ -47,7 +47,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     event PoolSubscribed(uint256 indexed depositId, uint8 fundId);
     event FarmStartTimeUpdated(uint256 newStartTime);
     event CooldownPeriodUpdated(uint256 newCooldownPeriod);
-    event RewardRateUpdated(address indexed rwdToken, uint256[] newRewardRate);
+    event RewardRateUpdated(address indexed rwdToken, uint128[] newRewardRate);
     event RewardAdded(address rwdToken, uint256 amount);
     event FarmClosed();
     event RecoveredERC20(address token, uint256 amount);
@@ -115,9 +115,8 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
             revert ZeroAmount();
         }
         _validateFarmOpen();
-        if (rewardData[_rwdToken].tknManager == address(0)) {
-            revert InvalidRewardToken();
-        }
+        _validateRewardToken(_rwdToken);
+
         updateFarmRewardData();
         IERC20(_rwdToken).safeTransferFrom(msg.sender, address(this), _amount);
         emit RewardAdded(_rwdToken, _amount);
@@ -159,7 +158,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
         uint256 numRewards = rewardTokens.length;
         for (uint8 iRwd; iRwd < numRewards;) {
             _recoverRewardFunds(rewardTokens[iRwd], type(uint256).max);
-            _setRewardRate(rewardTokens[iRwd], new uint256[](rewardFunds.length));
+            _setRewardRate(rewardTokens[iRwd], new uint128[](rewardFunds.length));
             unchecked {
                 ++iRwd;
             }
@@ -187,7 +186,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     /// @notice Function to update reward params for a fund.
     /// @param _rwdToken The reward token's address.
     /// @param _newRewardRates The new reward rate for the fund (includes the precision).
-    function setRewardRate(address _rwdToken, uint256[] memory _newRewardRates) external {
+    function setRewardRate(address _rwdToken, uint128[] memory _newRewardRates) external {
         _validateFarmOpen();
         _validateTokenManager(_rwdToken);
         updateFarmRewardData();
@@ -225,6 +224,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
         rewards = new uint256[][](numDepositSubs);
 
         uint256 time = _getRewardAccrualTimeElapsed();
+        uint256[] memory accumulatedRewards = new uint256[](numRewards);
 
         // Update the two reward funds.
         for (uint8 iSub; iSub < numDepositSubs;) {
@@ -233,7 +233,8 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
             uint8 fundId = sub.fundId;
             for (uint8 iRwd; iRwd < numRewards;) {
                 if (funds[fundId].totalLiquidity != 0 && isFarmActive()) {
-                    uint256 accRewards = _getAccRewards(iRwd, fundId, time);
+                    uint256 accRewards = _getAccRewards(iRwd, fundId, time, accumulatedRewards[iRwd]); // accumulatedRewards is sent to consider the already accrued rewards.
+                    accumulatedRewards[iRwd] += accRewards;
                     // update the accRewardPerShare for delta time.
                     funds[fundId].accRewardPerShare[iRwd] += (accRewards * PREC) / funds[fundId].totalLiquidity;
                 }
@@ -286,6 +287,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     /// @param _rwdToken The reward token's address.
     /// @return The reward rates for the reward token (uint256[]).
     function getRewardRates(address _rwdToken) external view returns (uint256[] memory) {
+        _validateRewardToken(_rwdToken);
         uint256 numFunds = rewardFunds.length;
         uint256[] memory rates = new uint256[](numFunds);
         uint8 id = rewardData[_rwdToken].id;
@@ -333,7 +335,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
                     if (fund.totalLiquidity != 0) {
                         for (uint8 iRwd; iRwd < numRewards;) {
                             // Get the accrued rewards for the time.
-                            uint256 accRewards = _getAccRewards(iRwd, iFund, time);
+                            uint256 accRewards = _getAccRewards(iRwd, iFund, time, 0); // _alreadyAccRewardBal is 0.
                             rewardData[rewardTokens[iRwd]].accRewardBal += accRewards;
                             fund.accRewardPerShare[iRwd] += (accRewards * PREC) / fund.totalLiquidity;
 
@@ -402,9 +404,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     function getRewardBalance(address _rwdToken) public view returns (uint256) {
         RewardData memory rwdData = rewardData[_rwdToken];
 
-        if (rwdData.tknManager == address(0)) {
-            revert InvalidRewardToken();
-        }
+        _validateRewardToken(_rwdToken);
 
         uint256 numFunds = rewardFunds.length;
         uint256 rewardsAcc = rwdData.accRewardBal;
@@ -634,7 +634,7 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     /// @notice Function to update reward params for a fund.
     /// @param _rwdToken The reward token's address.
     /// @param _newRewardRates The new reward rate for the fund (includes the precision).
-    function _setRewardRate(address _rwdToken, uint256[] memory _newRewardRates) internal {
+    function _setRewardRate(address _rwdToken, uint128[] memory _newRewardRates) internal {
         uint8 id = rewardData[_rwdToken].id;
         uint256 numFunds = rewardFunds.length;
         if (_newRewardRates.length != numFunds) {
@@ -736,14 +736,21 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
     /// @param _rwdId Id of the reward token.
     /// @param _fundId Id of the reward fund.
     /// @param _time Time interval for the reward computation.
-    function _getAccRewards(uint8 _rwdId, uint8 _fundId, uint256 _time) internal view returns (uint256) {
+    /// @param _alreadyAccRewardBal Already accrued reward balance.
+    /// @dev `_alreadyAccRewardBal` is useful when this function called from `computeRewards` function.
+    /// As `computeReward` is a view function and it doesn't update the `accRewardBal` in the `rewardData`.
+    function _getAccRewards(uint8 _rwdId, uint8 _fundId, uint256 _time, uint256 _alreadyAccRewardBal)
+        internal
+        view
+        returns (uint256)
+    {
         uint256 rewardsPerSec = rewardFunds[_fundId].rewardsPerSec[_rwdId];
         if (rewardsPerSec == 0) {
             return 0;
         }
         address rwdToken = rewardTokens[_rwdId];
         uint256 rwdSupply = IERC20(rwdToken).balanceOf(address(this));
-        uint256 rwdAccrued = rewardData[rwdToken].accRewardBal;
+        uint256 rwdAccrued = rewardData[rwdToken].accRewardBal + _alreadyAccRewardBal;
 
         uint256 rwdBal = 0;
         // Calculate the available reward funds in the farm.
@@ -805,6 +812,14 @@ abstract contract Farm is FarmStorage, Ownable, ReentrancyGuard, Initializable,
         }
     }
 
+    /// @notice Validate the reward token is valid.
+    /// @param _rwdToken Address of reward token.
+    function _validateRewardToken(address _rwdToken) internal view {
+        if (rewardData[_rwdToken].tknManager == address(0)) {
+            revert InvalidRewardToken();
+        }
+    }
+
     /// @notice Get the time elapsed since the last reward accrual.
     /// @return time The time elapsed since the last reward accrual.
     function _getRewardAccrualTimeElapsed() internal view virtual returns (uint256) {

contracts/FarmDeployer.sol

@@ -49,6 +49,7 @@ abstract contract FarmDeployer is Ownable, ReentrancyGuard {
 
     // Custom Errors
     error InvalidAddress();
+    error NewFarmImplementationSameAsOld();
 
     /// @notice Constructor.
     /// @param _farmRegistry Address of the Demeter Farm Registry.
@@ -62,7 +63,14 @@ abstract contract FarmDeployer is Ownable, ReentrancyGuard {
     /// @notice Update farm implementation's address.
     /// @dev Only callable by the owner.
     /// @param _newFarmImplementation New farm implementation's address.
+    /// @dev Ensure that `_newFarmId` is correct for the new farm implementation.
     function updateFarmImplementation(address _newFarmImplementation, string calldata _newFarmId) external onlyOwner {
+        _validateNonZeroAddr(_newFarmImplementation);
+
+        if (farmImplementation == _newFarmImplementation) {
+            revert NewFarmImplementationSameAsOld();
+        }
+
         farmId = _newFarmId;
         farmImplementation = _newFarmImplementation;
 

contracts/FarmRegistry.sol

@@ -49,6 +49,7 @@ contract FarmRegistry is OwnableUpgradeable {
 
     // Custom Errors.
     error DeployerNotRegistered();
+    error FarmAlreadyRegistered();
     error DeployerAlreadyRegistered();
     error InvalidDeployerId();
     error PrivilegeSameAsDesired();
@@ -77,9 +78,14 @@ contract FarmRegistry is OwnableUpgradeable {
     /// @param _farm Address of the created farm contract
     /// @param _creator Address of the farm creator.
     function registerFarm(address _farm, address _creator) external {
+        _validateNonZeroAddr(_farm);
         if (!deployerRegistered[msg.sender]) {
             revert DeployerNotRegistered();
         }
+        if (farmRegistered[_farm]) {
+            revert FarmAlreadyRegistered();
+        }
+
         farms.push(_farm);
         farmRegistered[_farm] = true;
         emit FarmRegistered(_farm, _creator, msg.sender);

contracts/features/OperableDeposit.sol

@@ -39,6 +39,7 @@ abstract contract OperableDeposit is Farm {
 
     // Custom Errors.
     error DecreaseDepositNotPermitted();
+    error InsufficientLiquidity();
 
     /// @notice Update subscription data of a deposit for increase in liquidity.
     /// @param _depositId Unique deposit id for the deposit.
@@ -120,6 +121,9 @@ abstract contract OperableDeposit is Farm {
         if (_amount == 0) {
             revert CannotWithdrawZeroAmount();
         }
+        if (_amount > userDeposit.liquidity) {
+            revert InsufficientLiquidity();
+        }
 
         if (userDeposit.expiryDate != 0 || userDeposit.cooldownPeriod != 0) {
             revert DecreaseDepositNotPermitted();

contracts/interfaces/IFarm.sol

@@ -6,7 +6,7 @@ import {RewardData, RewardFund} from "./DataTypes.sol";
 interface IFarm {
     function updateRewardData(address _rwdToken, address _newTknManager) external;
 
-    function setRewardRate(address _rwdToken, uint256[] memory _newRwdRates) external;
+    function setRewardRate(address _rwdToken, uint128[] memory _newRewardRates) external;
 
     function recoverRewardFunds(address _rwdToken, uint256 _amount) external;
 

contracts/rewarder/Rewarder.sol

@@ -32,6 +32,7 @@ import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import {IOracle} from "../interfaces/IOracle.sol";
 import {IFarm} from "../interfaces/IFarm.sol";
 import {IRewarderFactory} from "../interfaces/IRewarderFactory.sol";
+import {SafeCast} from "@openzeppelin/contracts/utils/math/SafeCast.sol";
 
 /// @title Rewarder contract of Demeter Protocol.
 /// @author Sperax Foundation.
@@ -49,8 +50,8 @@ contract Rewarder is Ownable, Initializable, ReentrancyGuard {
     // nonLockupRewardPer - Reward percentage allocation for no lockup fund (rest goes to lockup fund).
     struct FarmRewardConfig {
         uint256 apr;
-        uint256 rewardRate;
-        uint256 maxRewardRate;
+        uint128 rewardRate;
+        uint128 maxRewardRate;
         uint256[] baseAssetIndexes;
         uint256 nonLockupRewardPer; // 5e3 = 50%.
     }
@@ -62,7 +63,7 @@ contract Rewarder is Ownable, Initializable, ReentrancyGuard {
     // nonLockupRewardPer - Reward percentage allocation for no lockup fund (rest goes to lockup fund).
     struct FarmRewardConfigInput {
         uint256 apr;
-        uint256 maxRewardRate;
+        uint128 maxRewardRate;
         address[] baseTokens;
         uint256 nonLockupRewardPer; // 5e3 = 50%.
     }
@@ -272,7 +273,7 @@ contract Rewarder is Ownable, Initializable, ReentrancyGuard {
 
     function _calibrateReward(address _farm) private returns (uint256 rewardsToSend) {
         FarmRewardConfig memory farmRewardConfig = farmRewardConfigs[_farm];
-        uint256 rewardRate;
+        uint128 rewardRate;
         if (farmRewardConfig.apr != 0) {
             (address[] memory assets, uint256[] memory amounts) = _getTokenAmounts(_farm);
             // Calculating total USD value for all the assets.
@@ -298,9 +299,10 @@ contract Rewarder is Ownable, Initializable, ReentrancyGuard {
             // For token with lower decimals the calculation of rewardRate might not be accurate because of precision loss in truncation.
             // rewardValuePerSecond = (APR * totalValue / 100) / 365 days.
             // rewardRate = rewardValuePerSecond * pricePrecision / price.
-            rewardRate = (farmRewardConfig.apr * totalValue * priceData.precision)
-                / (APR_PRECISION * DENOMINATOR * ONE_YEAR * priceData.price);
-
+            rewardRate = SafeCast.toUint128(
+                (farmRewardConfig.apr * totalValue * priceData.precision)
+                    / (APR_PRECISION * DENOMINATOR * ONE_YEAR * priceData.price)
+            );
             if (rewardRate > farmRewardConfig.maxRewardRate) {
                 rewardRate = farmRewardConfig.maxRewardRate;
             }
@@ -333,15 +335,15 @@ contract Rewarder is Ownable, Initializable, ReentrancyGuard {
     /// @param _farm Address of the farm.
     /// @param _rwdRate Reward per second to be emitted.
     /// @param _nonLockupRewardPer Reward percentage to be allocated to no lockup fund.
-    function _setRewardRate(address _farm, uint256 _rwdRate, uint256 _nonLockupRewardPer) private {
-        uint256[] memory _newRewardRates;
+    function _setRewardRate(address _farm, uint128 _rwdRate, uint256 _nonLockupRewardPer) private {
+        uint128[] memory _newRewardRates;
         if (IFarm(_farm).cooldownPeriod() == 0) {
-            _newRewardRates = new uint256[](1);
+            _newRewardRates = new uint128[](1);
             _newRewardRates[0] = _rwdRate;
             IFarm(_farm).setRewardRate(REWARD_TOKEN, _newRewardRates);
         } else {
-            _newRewardRates = new uint256[](2);
-            uint256 commonFundShare = (_rwdRate * _nonLockupRewardPer) / MAX_PERCENTAGE;
+            _newRewardRates = new uint128[](2);
+            uint128 commonFundShare = SafeCast.toUint128((_rwdRate * _nonLockupRewardPer) / MAX_PERCENTAGE);
             _newRewardRates[0] = commonFundShare;
             _newRewardRates[1] = _rwdRate - commonFundShare;
             IFarm(_farm).setRewardRate(REWARD_TOKEN, _newRewardRates);