Omniscia Kanpeki Finance Audit
Oracle Code Style Findings
Oracle Code Style Findings
ORA-01C: Improper Failure Execution
Type | Severity | Location |
---|---|---|
Code Style | Informational | Oracle.sol:L128 |
Description:
The _calcTokenETHRate
function will yield the result of _uintify(0)
when no ETH or USD feed has been detected for the input token, however, the _uintify
call will always fail with the error code "feed err"
.
Example:
105function _uintify (int256 rate) private pure returns (uint256)106{107 require(rate > 0, "feed err");108
109
110 return uint256(rate);111}112
113function _calcTokenETHRate (address token) private view returns (uint256)114{115 address ethFeed = _ETHFeed[token];116
117
118 if (ethFeed != address(0))119 {120 return _uintify(IFeed(ethFeed).latestAnswer());121 }122 else if (_USDFeed[token] != address(0))123 {124 return ( _uintify(IFeed(_USDFeed[token]).latestAnswer()) * _DECIMALS ) / _uintify(IFeed(_USDFeed[_WETH]).latestAnswer());125 }126 else127 {128 return _uintify(0);129 }130}
Recommendation:
We advise a more explicit failure case to be added here by simply executing a revert
with an appropriate error message.
Alleviation:
A revert
message was introduced with the proper error message.
ORA-02C: Potential Value Misconception
Type | Severity | Location |
---|---|---|
Language Specific | Informational | Oracle.sol:L161, L162, L167 |
Description:
The USD
functions are utilizing DAI
as the anchor price point instead, an asset that is unstable and fluctuates around its peg constantly as evidenced by the dedicated Chainlink DAI / USD oracle.
Example:
161// "USD" here = DAI162function convertFromUSD (address toToken, uint256 amount) external view override returns (uint256)163{164 return _convertToDestToken(amount, _DAI, toToken, getConversionRate(_DAI, toToken));165}166
167function convertToUSD (address fromToken, uint256 amount) external view override returns (uint256)168{169 return _convertToDestToken(amount, fromToken, _DAI, getConversionRate(fromToken, _DAI));170}
Recommendation:
We advise this particular trait to be carefully assessed as it can lead to misconceptions about the functions' intended purposes.
Alleviation:
The Kanpeki Finance team assessed this exhibit and deemed the current codebase to be verbose enough.
ORA-03C: Redundant Code Duplication
Type | Severity | Location |
---|---|---|
Gas Optimization | Informational | Oracle.sol:L70-L101 |
Description:
The setFeeds
function replicates the exact same code statements apart from the actual assignment to the mapping depending on the value of isUSDFeeds
.
Example:
65function setFeeds (address[] calldata tokens, address[] calldata feeds, bool isUSDFeeds) external onlyOwner66{67 require(tokens.length == feeds.length, "!=");68
69
70 if (isUSDFeeds)71 {72 for (uint256 i = 0; i < tokens.length; i++)73 {74 address token = tokens[i];75 uint256 decimal = ERC20(token).decimals();76
77
78 _USDFeed[token] = feeds[i];79
80 require(token != address(0), "!valid token");81 require(decimal > 0, "!valid decimal");82
83 _decimal[token] = decimal;84 }85 }86 else87 {88 for (uint256 i = 0; i < tokens.length; i++)89 {90 address token = tokens[i];91 uint256 decimal = ERC20(token).decimals();92
93
94 _ETHFeed[token] = feeds[i];95
96 require(token != address(0), "!valid token");97 require(decimal > 0, "!valid decimal");98
99 _decimal[token] = decimal;100 }101 }102}
Recommendation:
We advise the code block to remain the same and the outer if
conditional to instead be moved inwards to the _USDFeed
/ _ETHFeed
assignment. Additionally, we advise the usage of an array of bool
values instead to allow more flexibility in the function's execution.
Alleviation:
The Kanpeki Finance team refactored the code exactly according to our recommendation, significantly optimizing its execution.