Omniscia Vector Finance Audit
ComputeAPR Manual Review Findings
ComputeAPR Manual Review Findings
CAP-01M: Inexplicable Condition Effect
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | ComputeAPR.sol:L60, L92 |
Description:
The linked comment states that an execution flow of sizeOfPool == 0 is acceptable, howver, it would always yield 0 for the APR value.
Example:
contracts/ComputeAPR.sol
57uint256 precision = 4;58uint256 ratioAvaxUSD = getRatio(wavax, usd, precision);59uint256 ratioRewardAvax = getRatio(rewardToken, wavax, precision);60// If sizeOfPool == 0 then we are dealing with a stablecoin61// Else we need to compute the value of the staked token62uint256 ratiotokenAvax = getRatio(token, wavax, precision);63valueOfPool = ratiotokenAvax * ratioAvaxUSD * sizeOfPool;64uint256 valueOfHarvest = ratioAvaxUSD *65 ratioRewardAvax *66 amountReward;67uint256 APR = (valueOfPool > 0)68 ? (valueOfHarvest / valueOfPool)69 : 0;70return (APR, precision * 2);Recommendation:
We advise this to be re-evaluated as it either should not be a valid execution scenario or should be handled differently.
Alleviation:
The code was significantly refactored thereby rendering this exhibit null.
CAP-02M: Inexplicable Re-Invocation Capability
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | ComputeAPR.sol:L14-L17 |
Description:
The linked function should be invoked only once as it acts as a setter function for sensitive contract variables.
Example:
contracts/ComputeAPR.sol
14function setAvaxUSD(address _wavax, address _usd) external onlyOwner {15 wavax = _wavax;16 usd = _usd;17}Recommendation:
We advise this to be enforced by ensuring that wavax is equal to the zero-address on invocation.
Alleviation:
The function no longer exists in the codebase and the values are instead initialized at the constructor rendering this exhibit dealt with.