Base Static Analysis Findings

BES-01S: Inexistent Sanitization of Input Addresses

Type	Severity	Location
Input Sanitization		Base.sol:L29-L33

Description:

The linked function(s) accept address arguments yet do not properly sanitize them.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

Copy
29constructor(Integrations memory integrations) EVCClient(integrations.evc) {
30    protocolConfig = IProtocolConfig(integrations.protocolConfig);
31    balanceTracker = IBalanceTracker(integrations.balanceTracker);
32    permit2 = integrations.permit2;
33}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.

Alleviation (fb2dd77a6ff9b7f710edb48e7eb5437e0db4fc1a):

The code was updated to utilize a newly introduced AddressUtils contract that will verify the address contains code instead, acting as a superset of the non-zero check and providing better sanitization of the referenced arguments.

To note, sanitization was solely introduced for the integrations.protocolConfig argument as the other contracts were deemed to be acceptable as 0 (i.e. unset).

BES-02S: Inexistent Visibility Specifiers

Type	Severity	Location
Code Style		Base.sol:L18, L19, L20

Description:

The linked variables have no visibility specifier explicitly set.

Example:

Copy
18IProtocolConfig immutable protocolConfig;

Recommendation:

We advise them to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma versions.

Alleviation (fb2dd77a6ff9b7f710edb48e7eb5437e0db4fc1a):

The internal visibility specifier has been introduced to all referenced variables, preventing potential compilation discrepancies and addressing this exhibit.