Omniscia Moby Audit
Vault Manual Review Findings
Vault Manual Review Findings
VTL-01M: Inexistent Removal of Whitelisted Token
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Vault.sol:L189-L202 |
Description:
The Vault::setTokenConfig function will introduce a new entry to the whitelistedTokens array, however, its opposite counterpart Vault::clearTokenConfig will not clear that entry.
Impact:
The exhibit's severity has been set to informational as the Moby team has acknowledged this trait; we still advise the whitelistedTokens entries to be maintained, however, so as to ease external integrators.
Example:
contracts/Vault.sol
161function setTokenConfig(162 address _token,163 uint256 _tokenDecimals,164 uint256 _tokenWeight,165 uint256 _maxUsdgAmount,166 bool _isUnderlyingAssetToken,167 bool _isStableToken168) external onlyAdmin {169 if (!isWhitelistedToken[_token]) { // increment token count for the first time170 whitelistedTokenCount = whitelistedTokenCount + 1;171 whitelistedTokens.push(_token);172 }173
174 uint256 _totalTokenWeights = totalTokenWeights;175 _totalTokenWeights = _totalTokenWeights - tokenWeights[_token];176
177 isWhitelistedToken[_token] = true;178 tokenDecimals[_token] = _tokenDecimals;179 tokenWeights[_token] = _tokenWeight;180 maxUsdgAmounts[_token] = _maxUsdgAmount;181 isUnderlyingAssetToken[_token] = _isUnderlyingAssetToken;182 isStableToken[_token] = _isStableToken;183
184 totalTokenWeights = _totalTokenWeights + _tokenWeight;185
186 getSpotPrice(_token, true); // validate price feed187}188
189function clearTokenConfig(address _token) external onlyAdmin {190 require(isWhitelistedToken[_token], "Vault: token not whitelisted");191
192 totalTokenWeights = totalTokenWeights - tokenWeights[_token];193
194 delete isWhitelistedToken[_token];195 delete tokenDecimals[_token];196 delete tokenWeights[_token];197 delete maxUsdgAmounts[_token];198 delete isUnderlyingAssetToken[_token];199 delete isStableToken[_token];200 201 whitelistedTokenCount = whitelistedTokenCount - 1;202}Recommendation:
We advise the whitelistedTokens entries to be properly maintained, performing a replacement if a token is removed.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The Moby team has opted to retain the current behaviour in place, opting to manage valid whitelisted tokens via the whitelistedTokenCount variable.