Omniscia Moby Audit
Controller Static Analysis Findings
Controller Static Analysis Findings
CRE-01S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | Controller.sol:L161-L163, L165-L167, L169-L171, L215-L217, L219-L221, L223-L225, L227-L229 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
161function setMaxGasPrice(uint256 _maxGasPrice) external onlyAdmin {162 maxGasPrice = _maxGasPrice;163}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (a8720219a6a97e10b8d9c6a70c6345747f0fdcb3):
The SetMaxGasPrice, SetOptionsMarket, SetVaultPriceFeed, UpdatePlugin, UpdatePlugin, ApprovePlugin, and ApprovePlugin events were introduced to the codebase and are correspondingly emitted in the Controller::setMaxGasPrice, Controller::setOptionsMarket, Controller::setVaultPriceFeed, Controller::addPlugin, Controller::removePlugin, Controller::approvePlugin, and Controller::denyPlugin functions respectively, addressing this exhibit in full.
CRE-02S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | Controller.sol:L135-L155 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
135function initialize(136 address[3] memory _vaults,137 address[3] memory _vaultUtils,138 address _optionMarket,139 address _vaultPriceFeed,140 address _weth,141 IOptionsAuthority _authority142) public initializer {143 __Ownable_init();144 __AuthorityUtil_init__(_authority);145
146 optionsMarket = _optionMarket;147 vaultPriceFeed = _vaultPriceFeed;148 weth = _weth;149
150 vaults = _vaults;151 152 for (uint8 i = 0; i < 3; i++) {153 vaultToVaultUtil[_vaults[i]] = _vaultUtils[i];154 }155}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
All input arguments of the Controller::initialize function are adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.