Omniscia Optimex Audit
AccountPositionManager Static Analysis Findings
AccountPositionManager Static Analysis Findings
APM-01S: Inexistent Sanitization of Input Address
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | AccountPositionManager.sol:L102-L111 |
Description:
The linked function accepts an address argument yet does not properly sanitize it.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
102function initialize(103 address initOwner,104 string calldata initPubkey105) external initializer {106 __EIP712_init("APM Signature Verifier", "Version 1");107
108 owner = initOwner;109 pubkey = initPubkey;110 management = IMorphoManagement(msg.sender);111}Recommendation:
We advise some basic sanitization to be put in place by ensuring that the address specified is non-zero.
Alleviation (c11bae0aacaeb7f4e4b53c864f96917ca574182f):
The Optimex team evaluated this exhibit and clarified that address validation occurs at the MorphoManagement::createAPM function, rendering this exhibit to be invalid.
APM-02S: Inexistent Visibility Specifier
| Type | Severity | Location |
|---|---|---|
| Code Style | | AccountPositionManager.sol:L36 |
Description:
The linked variable has no visibility specifier explicitly set.
Example:
36address transient _MORPHO;Recommendation:
We advise one to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma versions.
Alleviation (c11bae0aacaeb7f4e4b53c864f96917ca574182f):
The internal visibility specifier has been introduced to the referenced variable, preventing potential compilation discrepancies and addressing this exhibit.