Omniscia Symbiosis Finance Audit

Wrapper Manual Review Findings

Wrapper Manual Review Findings

WRA-01M: Deprecated Native Asset Transfer

Description:

The transfer member exposed by payable address types has been deprecated as it does not reliably execute and can fail in future updates of the EVM as it forwards a fixed gas stipend which is not compatible with gas cost EIP upgrades such as EIP-2929.

Example:

contracts/synth-contracts/utils/Wrapper.sol
26function withdraw(uint256 amount) external {
27    address payable payer = payable(_msgSender());
28    require(balanceOf(payer) >= amount);
29    _burn(payer, amount);
30    payer.transfer(amount);
31    emit Withdrawal(payer, amount);
32}

Recommendation:

We advise a safe wrapper library to be utilized instead such as the sendValue function of the Address library by OpenZeppelin which is guaranteed to execute under all circumstances.

Alleviation:

The Symbiosis Finance team responded by stating this is meant to be used as a test contract and as such they will not carry out any remediations for it.

WRA-02M: Improper receive Function

TypeSeverityLocation
Logical FaultWrapper.sol:L19

Description:

The Wrapper contract is able to receive native assets, however, no function exists in the contract that utilizes funds received as an argument.

Example:

contracts/synth-contracts/utils/Wrapper.sol
19receive() external payable {}

Recommendation:

We advise the function to be omitted from the contract to avoid locked native assets.

Alleviation:

The Symbiosis Finance team responded by stating this is meant to be used as a test contract and as such they will not carry out any remediations for it.

WRA-03M: Inexistent Validation of Amounts

Description:

The deposit and withdraw functions of the contract do not validate that non-zero amounts are being deposited and withdrawn respectively.

Example:

contracts/synth-contracts/utils/Wrapper.sol
21function deposit() external payable {
22    _mint(_msgSender(), msg.value);
23    emit Deposit(_msgSender(), msg.value);
24}
25

26function withdraw(uint256 amount) external {
27    address payable payer = payable(_msgSender());
28    require(balanceOf(payer) >= amount);
29    _burn(payer, amount);
30    payer.transfer(amount);
31    emit Withdrawal(payer, amount);
32}

Recommendation:

We advise such sanitization to be imposed to avoid misleading events from being emitted.

Alleviation:

The Symbiosis Finance team responded by stating this is meant to be used as a test contract and as such they will not carry out any remediations for it.

Prev

Synthesis.sol (SYN-M)

Next

BridgeV2.sol (BV2-C)

On this page