NetworkDemand Manual Review Findings

NDD-01M: Incorrect Deterministic Calculation

Description:

The ceiling and floor calculations performed in the demandFactorNew calculation within calculateNetworkDemand appear to not be properly carried out as they will result in the same evaluation on each execution due to the parenthesis ordering introduced.

Example:

Copy
50uint demandFactorNew = ((priceFeeds.getThePrice()*1000000/targetPrice)
51*(fractions["PRICE_FRACTION"].ceiling*100/fractions["PRICE_FRACTION"].floor))
52+
53((tvlFeeds.getTheTVL()*1000000/targetTVL)
54*(fractions["TVL_FRACTION"].ceiling*100/fractions["TVL_FRACTION"].floor));

Recommendation:

We advise this segment to be re-evaluated and if the order of execution is deemed desirable, the fraction system to be dropped entirely and the calculated value of the multiplication and division to instead be set as the "multiplier".

Alleviation:

The exhibit no longer applies as the fraction system was dropped from the codebase.

NDD-02M: Inexistent Reversal of Authority

Description:

The addWhitelist function is a one-way function to authorize a designated party as able to adjust various configurational parameters of the network demand data feed.

Example:

Copy
116function addWhitelist(address account) external onlyOwner {
117    require(account != address(0));
118    whitelists[account] = true;
119}

Recommendation:

We advise the system to be slightly restructured by introducing a method to remove individuals from the whitelist. This would potentially allow the owner of the contract to "race" a malicious transaction and salvage the action of a misbehaving whitelisted member.

Alleviation:

A removeWhitelist function was added donned with the onlyOwner modifier thus alleviating this exhibit.