Omniscia rain protocol Audit
EmissionsERC20 Manual Review Findings
EmissionsERC20 Manual Review Findings
EER-01M: Potential Sanitization of VM State Configuration
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | EmissionsERC20.sol:L124 |
Description:
The initialize function does not apply any sanitization on the input EmissionsERC20Config while it expects at least one source to be defined as evidenced by the eval execution of calculateClaim.
Example:
contracts/claim/EmissionsERC20.sol
112/// @param config_ source and token config. Also controls delegated claims.113function initialize(EmissionsERC20Config memory config_)114 external115 initializer116{117 __ERC20_init(config_.erc20Config.name, config_.erc20Config.symbol);118 _mint(119 config_.erc20Config.distributor,120 config_.erc20Config.initialSupply121 );122
123 vmStatePointer = VMState.snapshot(124 VMState.newState(config_.vmStateConfig)125 );126
127 /// Log some deploy state for use by claim/opcodes.128 allowDelegatedClaims = config_.allowDelegatedClaims;129 constructionBlockNumber = block.number;130
131 emit Initialize(msg.sender, config_.allowDelegatedClaims, block.number);132}Recommendation:
We advise some form of sanitization to be imposed, at minimum a guarantee that at least once source has been defined in the sources array of vmStateConfig, to prevent misconfiguration of the contract.
Alleviation:
The newState function of the VMState implementation was updated to perfom validation that at least one source has been defined thereby alleviating this exhibit.