Omniscia Steadefi Audit
TraderJoeYieldFarmManager Static Analysis Findings
TraderJoeYieldFarmManager Static Analysis Findings
TJM-01S: Inexistent Event Emission
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | TraderJoeYieldFarmManager.sol:L491-L493 |
Description:
The linked function adjusts a sensitive contract variable yet does not emit an event for it.
Example:
491function updateRouter(IJoeRouter02 _router) external onlyOwner {492 router = _router;493}Recommendation:
We advise an event to be declared and correspondingly emitted to ensure off-chain processes can properly react to this system adjustment.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
An UpdateRouter event has been introduced to the codebase and is correspondingly emitted after the referenced assignment, properly informing off-chain observers of the configurational change.
TJM-02S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | TraderJoeYieldFarmManager.sol:L55-L64, L491-L493 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
55constructor(56 ITraderJoeYieldFarmVault _vault,57 address _rewardToken,58 ILendingPool _tokenALendingPool,59 ILendingPool _tokenBLendingPool,60 IJoeRouter02 _router,61 IMasterChefJoeV3 _stakePool,62 uint256 _stakePoolId,63 IJoeOracle _joeOracle64) {65 vault = _vault;66 rewardToken = _rewardToken;67 tokenALendingPool = _tokenALendingPool;68 tokenBLendingPool = _tokenBLendingPool;69 router = _router;70 stakePool = _stakePool;71 stakePoolId = _stakePoolId;72 joeOracle = _joeOracle;73 IERC20(tokenA()).approve(address(router), type(uint256).max);74 IERC20(tokenB()).approve(address(router), type(uint256).max);75 IJoePair(lpToken()).approve(address(router), type(uint256).max);76 IERC20(lpToken()).approve(address(stakePool), type(uint256).max);77 IERC20(rewardToken).approve(address(router), type(uint256).max);78 IERC20(tokenA()).approve(address(tokenALendingPool), type(uint256).max);79 IERC20(tokenB()).approve(address(tokenBLendingPool), type(uint256).max);80}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
All input address arguments referenced are adequately sanitized by each function's body by a corresponding require check, preventing the contract's misconfiguration.