Omniscia Steadefi Audit
TraderJoeYieldFarmVault Static Analysis Findings
TraderJoeYieldFarmVault Static Analysis Findings
TJY-01S: Inexistent Event Emissions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | TraderJoeYieldFarmVault.sol:L390-L392, L398-L400, L406-L408, L414-L416, L422-L424, L431-L433, L439-L441 |
Description:
The linked functions adjust sensitive contract variables yet do not emit an event for it.
Example:
390function updateVaultConfig(VaultConfig memory _vaultConfig) external onlyOwner {391 vaultConfig = _vaultConfig;392}Recommendation:
We advise an event to be declared and correspondingly emitted for each function to ensure off-chain processes can properly react to this system adjustment.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
All referenced assignment statements are now accompanied by an event that properly signals their adjustment to off-chain observers, alleviating this exhibit.
TJY-02S: Literal Equality of bool Variable
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | TraderJoeYieldFarmVault.sol:L81 |
Description:
The linked bool comparison is performed between a variable and a bool literal.
Example:
81require(keepers[msg.sender] == true, "Keeper not approved");Recommendation:
We advise the bool variable to be utilized directly either in its negated (!) or original form.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
The value of keepers[msg.sender] is directly utilized in the referenced statement over a boolean comparison as advised.
TJY-03S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | TraderJoeYieldFarmVault.sol:L96-L108, L414-L416, L422-L424, L431-L433 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
96constructor (97 string memory _name,98 string memory _symbol,99 VaultStrategy _strategy,100 IERC20 _tokenA,101 IERC20 _tokenB,102 IChainLinkOracle _priceOracle,103 VaultConfig memory _vaultConfig,104 uint256 _capacityValue,105 uint256 _mgmtFeePerSecond,106 uint256 _perfFee,107 address _treasury108) ERC20(_name, _symbol) {109 strategy = _strategy;110 tokenA = _tokenA;111 tokenB = _tokenB;112 priceOracle = _priceOracle;113 vaultConfig = _vaultConfig;114 capacityValue = _capacityValue;115 mgmtFeePerSecond = _mgmtFeePerSecond;116 perfFee = _perfFee;117 treasury = _treasury;118 lastFeeCollected = block.timestamp;119}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
All input address arguments referenced are adequately sanitized by each function's body by a corresponding require check, preventing the contract's misconfiguration.
TJY-04S: Potential Lock of Native Assets
| Type | Severity | Location |
|---|---|---|
| Language Specific | | TraderJoeYieldFarmVault.sol:L504 |
Description:
The linked receive / fallback function performs no sanitization as to its caller and no function within the contract expects funds to have been received directly by the contract.
Impact:
Any native funds accidentally sent to the contract may be forever locked.
Example:
504receive() external payable {}Recommendation:
We advise the code to properly prohibit accidental native assets from being permanently locked in the contract by introducing a require check restricting the msg.sender to the contract(s) expected to transfer assets to the system (i.e. in case of a wrapped native version of an asset, only the WXXX contract address should be allowed). Alternatively, if the contract is not expected to receive native assets directly the function should be removed in its entirety.
Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):
The receive function was updated to only accept native funds when the vault configuration's isNativeAsset has been set to true, ensuring that funds cannot be locked within it when the configuration's token is an EIP-20 asset. As a result, we consider this exhibit adequately alleviated.