Omniscia Mitosis Audit
ATM Manual Review Findings
ATM Manual Review Findings
ATM-01M: Inexistent Initialization Protection of Base Implementation
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | ATM.sol:L12 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
9contract ATM is AccessControlUpgradeable {10 bytes32 public constant CHILD_ROLE = keccak256("CHILD_ROLE");11
12 function initialize(address owner) public initializer {13 __AccessControl_init();14
15 _setupRole(DEFAULT_ADMIN_ROLE, owner);16 }Recommendation:
We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
An ATM::constructor has been introduced invoking the Initializable::initialize modifier thereby preventing re-initializations as long as the contract does not utilize a versioned initialization system.
If such a system is expected, we advise the Initializable::_disableInitializers function instead.
ATM-02M: Inexplicable Fallback Function
| Type | Severity | Location |
|---|---|---|
| Language Specific | | ATM.sol:L18, L20-L22 |
Description:
The ATM::receive and ATM::deposit functions achieve each other's purpose, however, the ATM::deposit function mandates a non-zero msg.value while the ATM::receive function permits any value.
Example:
18receive() external payable {}19
20function deposit() external payable {21 require(msg.value > 0, "ATM: deposit amount must be greater than 0");22}Recommendation:
We advise only either of the two implementations to be retained and the correct logic to be incorporated in it, as a function being marked as payable can accept funds without the contract having a receive function defined.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
The ATM::receive function has been omitted as advised, ensuring that a single implementation for accepting native funds is present in the ATM contract.