VerifierManager Static Analysis Findings

VMR-01S: Inexistent Event Emissions

Type	Severity	Location
Language Specific		VerifierManager.sol:L66-L68, L77-L79, L90

Description:

The linked functions adjust sensitive contract variables yet do not emit an event for it.

Example:

Copy
66function setDefaultVerifier(address defaultVerifier_) external onlyDatasetOwner {
67  defaultVerifier = defaultVerifier_;
68}

Recommendation:

We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.

Alleviation (fb50b5c39665f7df086b2de1fdbf93ba2d836bf9):

The VerifierManager::setDefaultVerifier, VerifierManager::setTagVerifier, and VerifierManager::setTagVerifiers events were introduced to the codebase and are correspondingly emitted in the VerifierManager::FragmentTagDefaultVerifierSet, and VerifierManager::FragmentTagVerifierSet functions respectively, addressing this exhibit in full.

VMR-02S: Inexistent Sanitization of Input Address

Type	Severity	Location
Input Sanitization		VerifierManager.sol:L66-L68

Description:

The linked function accepts an address argument yet does not properly sanitize it.

Impact:

The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.

Example:

Copy
66function setDefaultVerifier(address defaultVerifier_) external onlyDatasetOwner {
67  defaultVerifier = defaultVerifier_;
68}

Recommendation:

We advise some basic sanitization to be put in place by ensuring that the address specified is non-zero.

Alleviation (fb50b5c39665f7df086b2de1fdbf93ba2d836bf9):

The input defaultVerifier_ address argument of the VerifierManager::setDefaultVerifier function is adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.