Omniscia Tren Finance Audit
WstEth2UsdPriceAggregator Static Analysis Findings
WstEth2UsdPriceAggregator Static Analysis Findings
WEU-01S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | WstEth2UsdPriceAggregator.sol:L35-L38 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
35constructor(address _wstETHAddress, address _stETH2USDAggregatorAddress) {36 wstETH = IWstETH(_wstETHAddress);37 stETH2USDAggregator = AggregatorV3Interface(_stETH2USDAggregatorAddress);38}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (f6f1ad0b8f24a96ade345db1dd05a1878eb0f761):
All input arguments of the WstEth2UsdPriceAggregator::constructor function are adequately sanitized as non-zero in the latest in-scope revision of the codebase, addressing this exhibit.
WEU-02S: Multiple Top-Level Declarations
| Type | Severity | Location |
|---|---|---|
| Code Style | | WstEth2UsdPriceAggregator.sol:L10, L26 |
Description:
The referenced file contains multiple top-level declarations that decrease the legibility of the codebase.
Example:
10interface IWstETH {11 function stEthPerToken() external view returns (uint256);12}13
14/**15 * @notice Returns the USD price for 1 wstETH.16 *17 * @dev Queries the wstETH token for its stETH value/rate; then queries the stETH:USD oracle for the18 * price, and multiplies the results.19 * There is a known (minor) issue with the getRoundData() function, where the historical20 * value for a previous round (price) can be queried from the feed, but the current st/wstEth21 * rate is used (instead of the historical pair);22 * we do not see that as a problem as this contract's return values are23 * supposed to be used in short-time context checks (and not for long-term24 * single-source-of-truth queries)25 */26contract WstEth2UsdPriceAggregator is AggregatorV3Interface {Recommendation:
We advise all highlighted top-level declarations to be split into their respective code files, avoiding unnecessary imports as well as increasing the legibility of the codebase.
Alleviation (f6f1ad0b8f24a96ade345db1dd05a1878eb0f761):
The Tren Finance team evaluated this exhibit but opted to acknowledge it in the current iteration of the codebase.