Omniscia Mitosis Audit
ArbitrumBridgeAdapter Static Analysis Findings
ArbitrumBridgeAdapter Static Analysis Findings
ABA-01S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | ArbitrumBridgeAdapter.sol:L25-L27, L29-L31 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
25function setMaxGas(uint32 _maxGas) external onlyOwner {26 maxGas = _maxGas;27}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
The ATMSet, GasSet, and BridgeSet events were introduced to the codebase and are correspondingly emitted in the ArbitrumBridgeAdapter::_setATM, ArbitrumBridgeAdapter::_setGas, and ArbitrumBridgeAdapter::_setBridge functions respectively, addressing this exhibit in full.
ABA-02S: Inexistent Sanitization of Input Address
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | ArbitrumBridgeAdapter.sol:L17-L23 |
Description:
The linked function accepts an address argument yet does not properly sanitize it.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
17constructor(IArbitrumGateway _bridge, uint32 _maxGas, uint32 _gasPriceBid) Ownable() {18 bridge = _bridge;19
20 maxGas = _maxGas; // 13000021
22 gasPriceBid = _gasPriceBid; // 30000000023}Recommendation:
We advise some basic sanitization to be put in place by ensuring that the address specified is non-zero.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
All input argument(s) of the ArbitrumBridgeAdapter::_setATM, and ArbitrumBridgeAdapter::_setBridge functions are adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.
ABA-03S: Potential Lock of Native Assets
| Type | Severity | Location |
|---|---|---|
| Language Specific | | ArbitrumBridgeAdapter.sol:L48 |
Description:
The linked receive / fallback function performs no sanitization as to its caller and no function within the contract expects funds to have been received directly by the contract.
Impact:
Any native funds accidentally sent to the contract may be forever locked.
Example:
48receive() external payable {}Recommendation:
We advise the code to properly prohibit accidental native assets from being permanently locked in the contract by introducing a require check restricting the msg.sender to the contract(s) expected to transfer assets to the system (i.e. in case of a wrapped native version of an asset, only the WXXX contract address should be allowed). Alternatively, if the contract is not expected to receive native assets directly the function should be removed in its entirety.
Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):
The ArbitrumBridgeAdapter::receive function was updated to solely receive native funds from the designated atm entry, preventing accidental lock of funds to the contract and thus alleviating this exhibit.