Pull requests merged without code reviews
Description
Important repositories within DexFi's organization do not require code reviews to merge pull requests. For example, the vaults-v3-backend
repo contains many merged pull requests without any reviews at all. Code reviews for pull requests will help stop any problematic code from reaching the main branch.
Impact
The lack of code reviews prior to merging pull requests can result in vulnerable code being pushed to the main branch of the repository. Additionally, lack of code review could result in an attacker using a breached account to immediately push their own code without any barriers.
Recommendations
Mandatory code review should be enabled for all important code repositories with potential for negative impact as a result of undesired code being pushed. In addition to this process, it would be beneficial for old pull requests which were never reviewed to be retroactively reviewed to ensure that no undesirable code was merged into the main branches due to the lack of prior review.
Remediation
DexFi has acknowledged this issue and stated the following:
Mandatory code reviews have been enabled for the important repositories. Individual contributer's pull requests now require unique branches, that each must pass successful checks, before requiring the approval of the repository's manager before being merged into production.