Omniscia Mitosis Audit
ATM Manual Review Findings
ATM Manual Review Findings
ATM-01M: Inexistent Initialization Protection of Base Implementation
Type | Severity | Location |
---|---|---|
Language Specific | ATM.sol:L12 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
9contract ATM is AccessControlUpgradeable {10 bytes32 public constant CHILD_ROLE = keccak256("CHILD_ROLE");11
12 function initialize(address owner) public initializer {13 __AccessControl_init();14
15 _setupRole(DEFAULT_ADMIN_ROLE, owner);16 }
Recommendation:
We advise a constructor
to be introduced that either invokes the initializer
modifier of the Initializable
contract or invokes the Initializable::_disableInitializers
function to prevent the base implementation from ever being initialized.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
An ATM::constructor
has been introduced invoking the Initializable::initialize
modifier thereby preventing re-initializations as long as the contract does not utilize a versioned initialization system.
If such a system is expected, we advise the Initializable::_disableInitializers
function instead.
ATM-02M: Inexplicable Fallback Function
Type | Severity | Location |
---|---|---|
Language Specific | ATM.sol:L18, L20-L22 |
Description:
The ATM::receive
and ATM::deposit
functions achieve each other's purpose, however, the ATM::deposit
function mandates a non-zero msg.value
while the ATM::receive
function permits any value.
Example:
18receive() external payable {}19
20function deposit() external payable {21 require(msg.value > 0, "ATM: deposit amount must be greater than 0");22}
Recommendation:
We advise only either of the two implementations to be retained and the correct logic to be incorporated in it, as a function being marked as payable
can accept funds without the contract having a receive
function defined.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
The ATM::receive
function has been omitted as advised, ensuring that a single implementation for accepting native funds is present in the ATM
contract.