Omniscia DAFI Audit
RebaseEngine Manual Review Findings
RebaseEngine Manual Review Findings
REE-01M: Incorrect Execution Path
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | [RebaseEngine.sol:L57-L59](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/rebase engine/RebaseEngine.sol#L57-L59) |
Description:
The _rebasePool function does not perform any restriction on when a rebase is called, permitting it to be invoked after the program duration has ended and thus causing an incorrect amount of dDAFI distributed to be reported.
Example:
56// It calcultes the rewards already distributed(claimed + unclaimed) since the start of staking program57uint dDAFIDistributed = (MAX_DAFI * (block.timestamp - database.getStakingStartTime())) / database.getProgramDuration();Recommendation:
We advise a proper if statement to be introduced to handle this particular case and ensure the total distribution is properly measured.
Alleviation:
A proper if-else clause was introduced at the beginning of the function evaluating the correct maxTimeStampForCalc.
REE-02M: Incorrect Initializer Pattern
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | [RebaseEngine.sol:L21-L24](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/rebase engine/RebaseEngine.sol#L21-L24) |
Description:
The initialize function does not perform any access control on repetitive invocations, allowing it to initialize the contract an arbitrary amount of times.
Example:
21function initialize(INetworkDemand _networkDemand, StakingDatabase _database) external onlyOwner{22 networkDemand = _networkDemand;23 database = _database;24}Recommendation:
We advise a proper require check to be introduced that ensures networkDemand and database have not already been set.
Alleviation:
A contract-level INITIALIZED flag was set that is evaluated during the initialize function and ensures it can be invoked only once.
REE-03M: Inexistent Reversal of Authority
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | [RebaseEngine.sol:L101-L104](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/rebase engine/RebaseEngine.sol#L101-L104) |
Description:
The addWhitelist function is a one-way function to render a designated party responsible for updating the pool and per-user stake network demand tickers.
Example:
101function addWhitelist(address account) external onlyOwner {102 require(account != address(0));103 whitelists[account] = true;104}Recommendation:
We advise the system to be slightly restructured by introducing a method to remove individuals from the whitelist. This would potentially allow the owner of the contract to "race" a malicious transaction and salvage the action of a misbehaving whitelisted member.
Alleviation:
A removeWhitelist function was introduced with an onlyOwner modifier thus alleviating this exhibit.