Omniscia Moby Audit
SettlePriceFeed Static Analysis Findings
SettlePriceFeed Static Analysis Findings
SPD-01S: Inexistent Initialization Protection of Base Implementation
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | SettlePriceFeed.sol:L8, L15-L17 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
8contract SettlePriceFeed is ISettlePriceFeed, OwnableUpgradeable, AuthorityUtil {9 string public override description;10
11 mapping (address => mapping (uint256 => uint256)) public settlePrices; // token => timestamp => settle price12
13 event FeedSettlePrice(address indexed underlyingAsset, uint256 indexed expiry, uint256 settlePrice, address updater);14
15 function initialize(16 IOptionsAuthority _authority17 ) public initializer {18 __Ownable_init();19 __AuthorityUtil_init__(_authority);20
21 description = "SettlePriceFeed";22 }Recommendation:
We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.
Alleviation (a95db4124c4689f421fc3fd505ffb91173355034):
The Moby team evaluated this exhibit, and opted not to apply the alleviation described.
After discussions with the Moby team, we consider this and its relevant sister exhibits as acknowledged based on the fact that the Moby team will manually invoke the initializer of each implementation contract when needed.
SPD-02S: Variable Mutability Specifier (Constant)
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | SettlePriceFeed.sol:L9, L21 |
Description:
The linked variable is assigned to only once during its own declaration.
Impact:
9|22|9,21
Example:
9string public override description;Recommendation:
We advise it to be set as constant greatly optimizing its read-access gas cost.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The Moby team evaluated this exhibit but opted to acknowledge it in the current iteration of the codebase