Omniscia Moby Audit
SpotPriceFeed Static Analysis Findings
SpotPriceFeed Static Analysis Findings
SPF-01S: Illegible Numeric Value Representation
| Type | Severity | Location |
|---|---|---|
| Code Style |  | SpotPriceFeed.sol:L11 |
Description:
The linked representation of a numeric literal is sub-optimally represented decreasing the legibility of the codebase.
Example:
11uint256 public constant BASIS_POINTS_DIVISOR = 10000;Recommendation:
To properly illustrate the value's purpose, we advise the following guidelines to be followed.
For values meant to depict fractions with a base of 1e18, we advise fractions to be utilized directly (i.e. 1e17 becomes 0.1e18) as they are supported.
For values meant to represent a percentage base, we advise each value to utilize the underscore (_) separator to discern the percentage decimal (i.e. 10000 becomes 100_00, 300 becomes 3_00 and so on).
Finally, for large numeric values we simply advise the underscore character to be utilized again to represent them (i.e. 1000000 becomes 1_000_000).
Alleviation (a8720219a6a97e10b8d9c6a70c6345747f0fdcb3):
The referenced value literal has been updated in its representation to 100_00 in accordance with the recommendation's underscore style, addressing this exhibit.
SPF-02S: Inexistent Initialization Protection of Base Implementation
| Type | Severity | Location |
|---|---|---|
| Language Specific | | SpotPriceFeed.sol:L8, L27-L29 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
8contract SpotPriceFeed is ISpotPriceFeed, OwnableUpgradeable, AuthorityUtil {9 uint256 public constant PRICE_PRECISION = 10 ** 30;10 uint256 public constant ONE_USD = PRICE_PRECISION;11 uint256 public constant BASIS_POINTS_DIVISOR = 10000;12
13 string public override description;14
15 uint256 public lastUpdatedAt;16 uint256 public updateDuration; // 60 = 1 minute17 uint256 public spreadBasisPoints;18 // allowed deviation from primary price19 uint256 public maxDeviationBasisPoints;20
21 bool public isSpreadEnabled;22
23 mapping (address => uint256) public spotPrices; // token => spot price24
25 event FeedSpotPrice(address token, uint256 price, address updater);26
27 function initialize(28 IOptionsAuthority _authority29 ) public initializer {Recommendation:
We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.
Alleviation (a95db4124c4689f421fc3fd505ffb91173355034):
The Moby team evaluated this exhibit, and opted not to apply the alleviation described.
After discussions with the Moby team, we consider this and its relevant sister exhibits as acknowledged based on the fact that the Moby team will manually invoke the initializer of each implementation contract when needed.
SPF-03S: Redundant Variable Assignments
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | SpotPriceFeed.sol:L36, L37, L39 |
Description:
The linked variables are assigned to redundantly to the default value of each relevant data type (i.e. uint256 assigned to 0, address assigned to address(0) etc.).
Example:
36spreadBasisPoints = 0;Recommendation:
We advise the assignments to be safely omitted optimizing the codebase.
Alleviation (b02fae335f):
The relevant zero-value assignments have been omitted, however, an assignment to false for the isMaxDeviationEnabled flag remains.
Alleviation (a8720219a6):
The redundant false assignment has been removed as well, rendering this exhibit fully addressed.
SPF-04S: Variable Mutability Specifiers (Constant)
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | SpotPriceFeed.sol:L13, L16, L17, L19, L21 |
Description:
The linked variables are assigned to only once during their own declaration.
Impact:
27|40|33,35-37
Example:
13string public override description;Recommendation:
We advise them to be set as constant greatly optimizing their read-access gas cost.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The Moby team evaluated this exhibit but opted to acknowledge it in the current iteration of the codebase