Omniscia Astrolab DAO Audit

AsRescuable Static Analysis Findings

AsRescuable Static Analysis Findings

ARE-01S: Inexistent Visibility Specifiers

TypeSeverityLocation
Code StyleAsRescuable.sol:L21, L22

Description:

The linked variables have no visibility specifier explicitly set.

Example:

src/abstract/AsRescuable.sol
21uint64 constant RESCUE_TIMELOCK = 2 days;

Recommendation:

We advise them to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma versions.

Alleviation (59b75fbee1d8f3dee807c928f18be41c58b904e1):

The public visibility specifier has been introduced to all referenced variables, preventing potential compilation discrepancies and addressing this exhibit.

ARE-02S: Deprecated Native Asset Transfer

Description:

The linked statement performs a low-level native asset transfer via the transfer function exposed by the address payable data type.

Impact:

As new EIPs such as EIP-2930 are introduced to the blockchain, gas costs can change and the transfer instruction of Solidity specifies a fixed gas stipend that is prone to failure should such changes be integrated to the blockchain the contract is deployed in. A prime example of this behaviour are legacy versions of Gnosis which were susceptible to this issue and would cause native transfers to fail if sent to a new address.

Example:

src/abstract/AsRescuable.sol
88payable(req.receiver).transfer(address(this).balance);

Recommendation:

We advise alternative ways of transferring assets to be utilized instead, such as OpenZeppelin's Address.sol library and in particular the sendValue method exposed by it. If re-entrancies are desired to be prevented based on gas costs, we instead advise a mechanism to be put in place that either credits an account with a native balance they can withdraw at a secondary transaction or that performs the native asset transfers at the end of the top-level transaction's execution.

Alleviation (59b75fbee1d8f3dee807c928f18be41c58b904e1):

The native payment has been replaced by a low-level call interaction that supplies the full available gas allowance to the call thus ensuring it will succeed regardless of the underlying blockchain the contract is deployed in or the nature of the recipient.