Pool Static Analysis Findings

POO-01S: Potentially Misconfigured Upgrade

Description:

The upgrade function does not sanitize its input arguments, permitting the _oracles value to be the same as the current one thus permitting validators to change an arbitrary number of times.

Example:

Copy
58/**
59 * @dev See {IPool-upgrade}.
60 */
61function upgrade(address _poolValidators, address _oracles) external override onlyAdmin whenPaused {
62    require(address(oracles) == 0x2f1C5E86B13a74f5A6E7B4b35DD77fe29Aa47514, "Pool: already upgraded");
63
64    // set contract addresses
65    validators = IPoolValidators(_poolValidators);
66    oracles = _oracles;
67}

Recommendation:

We advise input sanitization to be performed on the arguments, firstly to ensure they are non-zero and secondly to ensure that _oracles points to a different address than the current oracles implementation.

Alleviation:

The exhibit was partially alleviated by introducing the non-zero require check for the linked _oracles argument as well as the _poolValidators one. As such, we consider this exhibit dealt with.

POO-02S: Variable Data Location Optimization

Description:

The linked variables are memory arguments in external visibility functions.

Example:

Copy
228function initializeValidator(IPoolValidators.DepositData memory depositData) external override whenNotPaused {

Recommendation:

We advise them to be set to calldata optimizing the gas cost of the codebase.

Alleviation:

The data location specifiers for both instances were properly set to calldata.