Omniscia Moby Audit
USDG Static Analysis Findings
USDG Static Analysis Findings
USD-01S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | USDG.sol:L29-L31, L33-L35 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
29function addVault(address _vault) external override onlyAdmin {30 vaults[_vault] = true;31}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The USDG::removeVault function is no longer present in the codebase while an event has been properly declared and is being emitted for the renamed USDG::setVault function, rendering this exhibit addressed.
USD-02S: Inexistent Initialization Protection of Base Implementation
| Type | Severity | Location |
|---|---|---|
| Language Specific | | USDG.sol:L9, L22 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
9contract USDG is YieldToken, IUSDG, OwnableUpgradeable {10 mapping (address => bool) public vaults;11
12 modifier onlyVault() {13 require(vaults[msg.sender], "USDG: forbidden");14 _;15 }16
17 function initialize(18 address _vault,19 string memory _name,20 string memory _symbol,21 IOptionsAuthority _authority22 ) public initializer {Recommendation:
We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.
Alleviation (a95db4124c4689f421fc3fd505ffb91173355034):
The Moby team evaluated this exhibit, and opted not to apply the alleviation described.
After discussions with the Moby team, we consider this and its relevant sister exhibits as acknowledged based on the fact that the Moby team will manually invoke the initializer of each implementation contract when needed.