Omniscia Bluejay Finance Audit
StablecoinEngine Static Analysis Findings
StablecoinEngine Static Analysis Findings
SEE-01S: Improper Invocation of EIP-20 transfer
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | StablecoinEngine.sol:L69, L79 |
Description:
The linked statement does not properly validate the returned bool of the EIP-20 standard transfer function. As the standard dictates, callers must not assume that false is never returned.
Example:
59// Function assumes that safety checks have been performed, use calculateAmounts to prevent liquidity sniping60function _addLiquidity(61 address pool,62 uint256 reserveAmount,63 uint256 stablecoinAmount64) internal ifPoolExists(pool) returns (uint256 liquidity) {65 StablecoinPoolInfo memory info = poolsInfo[pool];66 IMintableBurnableERC20(info.stablecoin).mint(pool, stablecoinAmount);67 treasury.withdraw(info.reserve, pool, reserveAmount);68 liquidity = IUniswapV2Pair(pool).mint(address(this));69 IUniswapV2Pair(pool).transfer(address(treasury), liquidity);70 emit LiquidityAdded(pool, liquidity, reserveAmount, stablecoinAmount);71}Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists.
Alleviation:
The code has been updated to no longer perform EIP-20 transfers thus rendering this exhibit no longer applicable.
SEE-02S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization | | StablecoinEngine.sol:L36 |
Description:
The linked address arguments affect sensitive contract variables yet remain unsanitized.
Example:
36constructor(address _treasury, address factory) {37 _setupRole(DEFAULT_ADMIN_ROLE, msg.sender);38 treasury = ITreasury(_treasury);39 poolFactory = IUniswapV2Factory(factory);40}Recommendation:
We advise them to be sanitized against the zero-address (address(0)) to prevent misconfiguration of the contract.
Alleviation:
The Bluejay Finance team stated that they do not wish to sanitize the referenced input arguments as the function is executed only once during the contract's lifetime. As a result, we consider this exhibit acknowledged.