Omniscia Teahouse Finance Audit
TeaVaultV3Portfolio Static Analysis Findings
TeaVaultV3Portfolio Static Analysis Findings
TVV-01S: Illegible Numeric Value Representation
| Type | Severity | Location |
|---|---|---|
| Code Style |  | TeaVaultV3Portfolio.sol:L90 |
Description:
The linked representation of a numeric literal is sub-optimally represented decreasing the legibility of the codebase.
Example:
90PERCENTAGE_MULTIPLIER = 1000000;Recommendation:
To properly illustrate the value's purpose, we advise the following guidelines to be followed.
For values meant to depict fractions with a base of 1e18, we advise fractions to be utilized directly (i.e. 1e17 becomes 0.1e18) as they are supported.
For values meant to represent a percentage base, we advise each value to utilize the underscore (_) separator to discern the percentage decimal (i.e. 10000 becomes 100_00, 300 becomes 3_00 and so on).
Finally, for large numeric values we simply advise the underscore character to be utilized again to represent them (i.e. 1000000 becomes 1_000_000).
Alleviation (302b96f324):
The underscore separator has been introduced to the literal albeit in a different format than we advised (1_000_000). In detail, the PERCENTAGE_MULTIPLIER is meant to represent a percentage and as such should have its underscore configured accordingly (100_0000).
Alleviation (1dc136da87):
The value of PERCENTAGE_MULTIPLIER was properly updated to 100_0000, properly signifying its accuracy as a percentage and thereby fully addressing this exhibit.
TVV-02S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | TeaVaultV3Portfolio.sol:L66-L116, L176-L180 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
66function initialize(67 string calldata _name,68 string calldata _symbol,69 uint24 _feeCap,70 FeeConfig calldata _feeConfig,71 address _manager,72 ERC20Upgradeable _baseAsset,73 ERC20Upgradeable[] calldata _assets,74 AssetType[] calldata _assetTypes,75 IPool _aavePool,76 address _uniswapV3SwapRouter,77 UniswapV3PathRecommender _pathRecommender,78 IAssetOracle _assetOracle,79 IAssetOracle _aaveATokenOracle,80 IAssetOracle _teaVaultV3PairOracle,81 Swapper _swapper,82 address _owner83) public initializer {84 __UUPSUpgradeable_init();85 __Ownable_init();86 __ReentrancyGuard_init();87 __ERC20_init(_name, _symbol);88
89 SECONDS_IN_A_YEAR = 365 * 24 * 60 * 60;90 PERCENTAGE_MULTIPLIER = 1000000;91 FEE_CAP = _feeCap;92 DECIMALS = 18;93 _assignManager(_manager);94 _setFeeConfig(_feeConfig);95 aavePool = _aavePool;96 uniswapV3SwapRouter = _uniswapV3SwapRouter;97 pathRecommender = _pathRecommender;98
99 assetOracle = _assetOracle;100 aaveATokenOracle = _aaveATokenOracle;101 teaVaultV3PairOracle = _teaVaultV3PairOracle;102 swapper = _swapper;103
104 _addAsset(_baseAsset, AssetType.Base);105 for (uint256 i; i < _assets.length; i = i + 1) {106 _addAsset(_assets[i], _assetTypes[i]);107 }108 109 if (110 address(_baseAsset) != _assetOracle.getBaseAsset() ||111 address(_baseAsset) != _teaVaultV3PairOracle.getBaseAsset()112 ) revert IAssetOracle.BaseAssetMismatch();113
114 transferOwnership(_owner);115 emit TeaVaultV3PortCreated(address(this), _name, _symbol);116}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (302b96f324a88038a0872015466cd43783c14543):
The exhibit has been partially alleviated as the second of the two referenced code blocks did not have input sanitization introduced.
The Teahouse Finance team stated that some blockchains may not have an Aave pool defined and as such they wish to not validate it which we consider correct behaviour. Based on the aforementioned, we consider this exhibit fully alleviated.