Omniscia Moby Audit
RewardTracker Static Analysis Findings
RewardTracker Static Analysis Findings
RTR-01S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | RewardTracker.sol:L79-L81, L83-L85, L87-L89, L91-L93, L95-L97 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
79function setDepositToken(address _depositToken, bool _isDepositToken) external onlyAdmin {80 isDepositToken[_depositToken] = _isDepositToken;81}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (a8720219a6a97e10b8d9c6a70c6345747f0fdcb3):
A significant portion of the instances are no longer applicable, however, the remaining RewardTracker::setInPrivateClaimingMode and RewardTracker::setHandler functions have had an event introduced rendering this exhibit fully addressed.
RTR-02S: Suboptimal Event Declaration
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | RewardTracker.sol:L49 |
Description:
The referenced event declaration does not have any indexed argument or have less than three indexed arguments that are a primitive type.
Example:
49event Claim(address receiver, uint256 amount);Recommendation:
Apart from aiding off-chain integrators in consuming and filtering such an event, primitive types that are set as indexed will result in a gas optimization due to reduced memory costs. As such, we advise the indexed keyword to be introduced to up to three different primitive types in total optimizing the referenced event declaration.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The indexed keyword has been introduced to the referenced event declaration per our recommendation, addressing this exhibit.
RTR-03S: Inexistent Sanitization of Input Address
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | RewardTracker.sol:L64-L77 |
Description:
The linked function accepts an address argument yet does not properly sanitize it.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
64function initSetup(65 address[] memory _depositTokens,66 address _distributor67) external onlyAdmin {68 require(!isSetup, "RewardTracker: setting already initialized");69 isSetup = true;70 71 for (uint256 i = 0; i < _depositTokens.length; i++) {72 address depositToken = _depositTokens[i];73 isDepositToken[depositToken] = true;74 }75
76 distributor = _distributor;77}Recommendation:
We advise some basic sanitization to be put in place by ensuring that the address specified is non-zero.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The input _distributor address argument of the RewardTracker::initSetup function is adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.