CollSurplusPool Static Analysis Findings

CSP-01S: Inexistent Visibility Specifier

Type	Severity	Location
Code Style		CollSurplusPool.sol:L26

Description:

The linked variable has no visibility specifier explicitly set.

Example:

Copy
26mapping(address => uint256) balances;

Recommendation:

We advise one to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma versions.

Alleviation:

An internal visibility specifier has been introduced to the balances contract member, ensuring that no inconsistencies can arise between compiler versions.

CSP-02S: Inexistent Sanitization of Input Addresses

Type	Severity	Location
Input Sanitization		CollSurplusPool.sol:L32-L49

Description:

The linked function(s) accept address arguments yet do not properly sanitize them.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

Copy
32function setAddresses(
33    address _activePoolAddress,
34    address _borrowerOperationsAddress,
35    address _vesselManagerAddress,
36    address _vesselManagerOperationsAddress
37) external override initializer {
38    require(!isInitialized, "Already initialized");
39    isInitialized = true;
40
41    __Ownable_init();
42
43    activePoolAddress = _activePoolAddress;
44    borrowerOperationsAddress = _borrowerOperationsAddress;
45    vesselManagerAddress = _vesselManagerAddress;
46    vesselManagerOperationsAddress = _vesselManagerOperationsAddress;
47
48    renounceOwnership();
49}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.

Alleviation:

The Gravita Protocol team has opted to not apply a remediation for this exhibit thus rendering it acknowledged.