Omniscia Mitosis Audit

BasicVault Static Analysis Findings

BasicVault Static Analysis Findings

BVT-01S: Inexistent Event Emissions

Description:

The linked functions adjust sensitive contract variables yet do not emit an event for it.

Example:

src/vault/BasicVault.sol
192function allow(address account, Action action) external onlyOwner {
193 _getStorageV1()._isAllowed[account][action] = true;
194}

Recommendation:

We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.

Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):

The ActionAllowed, ActionDisallowed, CapSet, and RedeemPeriodSet events were introduced to the codebase and are correspondingly emitted in the BasicVault::allow, BasicVault::disallow, BasicVault::setCap, and BasicVault::setRedeemPeriod functions respectively, addressing this exhibit in full.

BVT-02S: Multiple Top-Level Declarations

TypeSeverityLocation
Code StyleBasicVault.sol:L16, L36, L71

Description:

The referenced file contains multiple top-level declarations that decrease the legibility of the codebase.

Example:

src/vault/BasicVault.sol
16contract BasicVaultStorageV1 {
17 /// @custom:storage-location erc7201:mitosis.storage.BasicVault.v1
18 struct StorageV1 {
19 IERC20 _asset;
20 uint8 _underlyingDecimals;
21 mapping(Action => bool) _isHalted;
22 mapping(address => mapping(Action => bool)) _isAllowed;
23 }
24
25 // keccak256(abi.encode(uint256(keccak256("mitosis.storage.BasicVault.v1")) - 1)) & ~bytes32(uint256(0xff))
26 bytes32 public constant StorageV1Location = 0xdfd1d7385a5871446aad353015e13a89d148fc3945543ae58683c6905a730600;
27
28 function _getStorageV1() internal pure returns (StorageV1 storage $) {
29 // slither-disable-next-line assembly
30 assembly {
31 $.slot := StorageV1Location
32 }
33 }
34}
35
36contract BasicVaultUtilStorageV1 {
37 struct DepositLog {
38 uint256 cumulative;
39 uint256 amount;
40 uint256 at;
41 }
42
43 struct DepositInfo {
44 uint256 resolved;
45 uint256 lastLogIdx;
46 DepositLog[] logs;
47 }
48
49 /// @custom:storage-location erc7201:mitosis.storage.BasicVaultUtil.v1
50 struct UtilStorageV1 {
51 ICap _cap;
52 uint256 _redeemPeriod;
53 mapping(address => DepositInfo) _deposits;
54 }
55
56 // keccak256(abi.encode(uint256(keccak256("mitosis.storage.BasicVaultUtil.v1")) - 1)) & ~bytes32(uint256(0xff))
57 bytes32 public constant UtilStorageV1Location = 0xb74bb28fc0dafa03e97d9d2c2a11bb377bfd56ee8bbb7eda9a3949d9c8d49c00;
58
59 function _getUtilStorageV1() internal pure returns (UtilStorageV1 storage $) {
60 // slither-disable-next-line assembly
61 assembly {
62 $.slot := UtilStorageV1Location
63 }
64 }
65}
66
67/// @title BasicVault
68/// @author Eddy <hong@manythings.xyz>
69/// @notice A basic vault that holds a single asset as collateral and mint its IOU tokens to the user by 1:1 ratio.
70/// @dev There's no reentrancy guard in this contract because it has support for ERC777 tokens.
71contract BasicVault is

Recommendation:

We advise all highlighted top-level declarations to be split into their respective code files, avoiding unnecessary imports as well as increasing the legibility of the codebase.

Alleviation (58e8cc66dfa900c03c47df78f5170d9960005629):

The referenced top-level declaration(s) beyond the one that has the same name as the code file have been relocated to their dedicated file(s) (BasicVaultStorageV1.sol, BasicVaultUtilStorageV1.sol) and are instead imported as advised, increasing the code's clarity.