StakingRewardsLP Static Analysis Findings

SRL-01S: Inexistent Zero Address Validation

Description:

The linked address arguments are not properly sanitized against the zero-address, the default value that can result from off-chain software misbehaviour.

Example:

Copy
54constructor(
55    address _rewardsDistribution,
56    address _rewardsToken,
57    address _stakingToken,
58    address _buybackAddress
59) {
60    rewardsToken = IERC20(_rewardsToken);
61    stakingToken = IERC20(_stakingToken);
62    rewardsDistribution = _rewardsDistribution;
63    buybackAddress = _buybackAddress;
64}

Recommendation:

We advise them to be properly validated by introducing a corresponding require check ensuring they are different from address(0) preventing any contract misconfiguration from occuring.

Alleviation:

The GoGo team considered this exhibit but opted not to apply a remediation for it in the current iteration of the codebase.

SRL-02S: Inexistent Event Emission

Description:

The setRewardsDistributionAddress function adjusts a sensitive contract variable yet does not emit an event for it.

Example:

Copy
327function setRewardsDistributionAddress(address newDistributionAddress)
328    external
329    onlyOwner
330{
331    rewardsDistribution = newDistributionAddress;
332}

Recommendation:

We advise an event to be coded and emitted for this particular variable to ensure off-chain code can properly detect such a change and react accordingly.

Alleviation:

The GoGo team considered this exhibit but opted not to apply a remediation for it in the current iteration of the codebase.