Omniscia Rari Capital Audit
CEther Manual Review Findings
CEther Manual Review Findings
CER-01M: Impossible Autonomous Deployment
Type | Severity | Location |
---|---|---|
Indeterminate Code | Minor | CEther.sol:L20-L30 |
Description:
The code within the constructor
of the contract was adjusted and thus cannot be deployed independently as the admin
variable is no longer temporarily adjusted to bypass the check within initialize
.
Example:
20function initialize(ComptrollerInterface comptroller_,21 InterestRateModel interestRateModel_,22 uint initialExchangeRateMantissa_,23 string memory name_,24 string memory symbol_,25 uint8 decimals_,26 uint256 reserveFactorMantissa_,27 uint256 adminFeeMantissa_) public {28 // CToken initialize does the bulk of the work29 super.initialize(comptroller_, interestRateModel_, initialExchangeRateMantissa_, name_, symbol_, decimals_, reserveFactorMantissa_, adminFeeMantissa_);30}
Recommendation:
We advise that the ramifications of this are evaluated and if desired to be kept as is explicitly mentioned so within the constructor
's description.
Alleviation:
In response to this finding Rari specified that the CEther
token is not meant to be deployable independently as is the case with the main Compound implementation and thus this exhibit can be considered null.
CER-02M: Potentially Breaking Functionality
Type | Severity | Location |
---|---|---|
Standard Conformity | Minor | CEther.sol:L139 |
Description:
The transfer
opcode assigns a static gas amount to the external call that transfers funds outwards which can be changed in a consequent fork of Ethereum and thus cause such transfer
calls to fail.
Example:
137function doTransferOut(address payable to, uint amount) internal {138 /* Send the Ether, with minimal gas and revert on failure */139 to.transfer(amount);140}
Recommendation:
We advise that an OpenZeppelin wrapper implementation is instead used safely, such as the sendValue
function of the Address
library, to ensure compatibility at the EVM level perpetually.
Alleviation:
The transfer
call instances were replaced by to.call.value(amount)("")
invocations ensuring the code segment is future proof. We should note that a side-effect of this is that the Checks-Effects-Interactions pattern should be ensured to be sufficiently applied wherever doTransferOut
is invoked as the new method forwards gas and allows more complex calls to be performed by the recipient.