Omniscia CloudFunding Audit
Manager Manual Review Findings
Manager Manual Review Findings
MAN-01M: Inexistent Removal Workflow
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Manager.sol:L96-L99 |
Description:
The distributors array which is self-managed by the owner contains no removal workflow causing incorrect entries to permanently corrupt the storage of the contract.
Impact:
A single incorrect operation will permanently corrupt the storage of the contract which is an undesirable trait. Additionally, if a distribution ceases functioning it is impossible to remove it in the current system.
Example:
96// to be replaced with self-updating, if/when possible97function addDistribution(address distribution) external onlyOwner {98 distributions.push(IDistributionToDelegators(distribution));99}Recommendation:
We advise a removeDistribution function to be introduced to the contract that allows removal of a distribution using an index-based approach.
Alleviation:
The manual distribution maintenance mechanisms have been omitted from the codebase thus nullifying this exhibit as removals are no longer needed.
MAN-02M: Potential of Duplicate FTSO Reward Entries
| Type | Severity | Location |
|---|---|---|
| Logical Fault | | Manager.sol:L54-L59 |
Description:
The ftsoRewardManagers array can contain duplicate entries as the update methodology of updateFtsoRewardManagers assumes that the managers will always be declared in sequence.
Impact:
Duplicate reward manager entries will cause contracts that rely on reward extraction to potentially fail as rewards would have been claimed already.
Example:
50function updateFtsoRewardManagers() external {51 IFtsoRewardManager lastSaved = ftsoRewardManagers[ftsoRewardManagers.length - 1];52 IFtsoRewardManager current = FlareLibrary.getFtsoRewardManager(FlareLibrary.getFtsoManager());53 if (current != lastSaved) {54 do {55 ftsoRewardManagersTmp.push(current);56 IFtsoRewardManager previous = getPreviousFtsoRewardManager(current);57 if (previous == lastSaved || address(previous) == address(0)) break;58 current = previous;59 } while (true);60 for (uint256 i = ftsoRewardManagersTmp.length; i > 0; i--) {61 IFtsoRewardManager ftsoRewardManager = ftsoRewardManagersTmp[i - 1];62 ftsoRewardManagers.push(ftsoRewardManager);63 ftsoRewardManagersTmp.pop();64 emit AddFtsoRewardManager(address(ftsoRewardManager));65 }66 }67}Recommendation:
We advise a mapping to be used instead that stores whether an FtsoRewardManager is included in the ftsoRewardManagers array and in that case break the loop.
Alleviation:
The CloudFunding team has stated that they deem the assumption that the reward managers are a linked list without circular dependencies is valid as a removed manager cannot be re-added later. As a result, they consider the current implementation sound and thus acknowledge this exhibit.