Omniscia Powercity Audit
DefaultPool Static Analysis Findings
DefaultPool Static Analysis Findings
DPL-01S: Inexistent Visibility Specifier
Type | Severity | Location |
---|---|---|
Code Style | DefaultPool.sol:L40 |
Description:
The linked variable has no visibility specifier explicitly set.
Example:
40ACTIVEPOOL activePoolContract;
Recommendation:
We advise one to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma
versions.
Alleviation (8bedd3b0df6387957e6b8f5d52507e776c1458b0):
The activePoolContract
member has been set as public
, ensuring that it contains an explicit visibility specifier and thus addressing this exhibit.
DPL-02S: Improper Invocation of EIP-20 transferFrom
Type | Severity | Location |
---|---|---|
Standard Conformity | DefaultPool.sol:L127 |
Description:
The linked statement does not properly validate the returned bool
of the EIP-20 standard transferFrom
function. As the standard dictates, callers must not assume that false
is never returned.
Impact:
If the code mandates that the returned bool
is true
, this will cause incompatibility with tokens such as USDT / Tether as no such bool
is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return a false
value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.
Example:
127bool success = pulseXAddress.transferFrom(msg.sender, address(this), _amount);
Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20
by OpenZeppelin to opportunistically validate the returned bool
only if it exists.
Alleviation (8bedd3b0df6387957e6b8f5d52507e776c1458b0):
The Powercity team has stated that they intend to utilize the PulseX token solely and that it reverts on unsuccessful transfers, rendering an evaluation of the yielded bool
redundant.
As such, we consider this exhibit nullified based on the fact that a known failure-reverting EIP-20 asset will be utilized in the referenced invocations.