Omniscia Moby Audit
VaultPriceFeed Static Analysis Findings
VaultPriceFeed Static Analysis Findings
VPF-01S: Illegible Numeric Value Representation
| Type | Severity | Location |
|---|---|---|
| Code Style |  | VaultPriceFeed.sol:L22 |
Description:
The linked representation of a numeric literal is sub-optimally represented decreasing the legibility of the codebase.
Example:
22uint256 public constant BASIS_POINTS_DIVISOR = 10000;Recommendation:
To properly illustrate the value's purpose, we advise the following guidelines to be followed.
For values meant to depict fractions with a base of 1e18, we advise fractions to be utilized directly (i.e. 1e17 becomes 0.1e18) as they are supported.
For values meant to represent a percentage base, we advise each value to utilize the underscore (_) separator to discern the percentage decimal (i.e. 10000 becomes 100_00, 300 becomes 3_00 and so on).
Finally, for large numeric values we simply advise the underscore character to be utilized again to represent them (i.e. 1000000 becomes 1_000_000).
Alleviation (a8720219a6a97e10b8d9c6a70c6345747f0fdcb3):
The referenced value literal has been updated in its representation to 100_00 in accordance with the recommendation's underscore style, addressing this exhibit.
VPF-02S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific | | VaultPriceFeed.sol:L70-L72, L74-L76, L78-L80, L82-L84, L86-L88, L90-L92, L94-L97, L99-L101, L103-L112, L114-L117 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
70function setFastPriceFeed(address _fastPriceFeed) external onlyAdmin {71 fastPriceFeed = _fastPriceFeed;72}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (a8720219a6a97e10b8d9c6a70c6345747f0fdcb3):
The SetFastPriceFeed, SetSettlePriceFeed, SetPositionValueFeed, SetSecondarySpotPriceFeed, SetChainlinkFlags, SetIsSpotPriceEnabled, SetPriceSampleSpace, SetMaxStrictPriceDeviation, SetTokenConfig, and SetSpreadBasisPoints events were introduced to the codebase and are correspondingly emitted in the VaultPriceFeed::setFastPriceFeed, VaultPriceFeed::setSettlePriceFeed, VaultPriceFeed::setPositionValueFeed, VaultPriceFeed::setSecondarySpotPriceFeed, VaultPriceFeed::setChainlinkFlags, VaultPriceFeed::setIsSpotPriceEnabled, VaultPriceFeed::setPriceSampleSpace, VaultPriceFeed::setMaxStrictPriceDeviation, VaultPriceFeed::setTokenConfig, and VaultPriceFeed::setSpreadBasisPoints functions respectively, addressing this exhibit in full.
VPF-03S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | VaultPriceFeed.sol:L58-L68, L70-L72, L74-L76, L78-L80, L82-L84, L86-L88 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
86function setChainlinkFlags(address _chainlinkFlags) external onlyAdmin {87 chainlinkFlags = _chainlinkFlags;88}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
All input argument(s) of the VaultPriceFeed::setPriceFeeds, VaultPriceFeed::setFastPriceFeed, VaultPriceFeed::setSettlePriceFeed, VaultPriceFeed::setPositionValueFeed, VaultPriceFeed::setSecondarySpotPriceFeed, and VaultPriceFeed::setChainlinkFlags functions are adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.