StErMi
commented
1 month ago @lekhovitsky some of the reccomendations have been fixed by the PR but there are still some missing points. Would you mind providing, for each missing point an official acknowledgement statement?
1) TumblerV3.sol#L52: the pool_ address could be validated to be an authorized pool by using the _ensureRegisteredPool function in ContractsRegisterTrait
2) GaugeV3.sol#L62: the pool_ address could be validated to be an authorized pool by using the _ensureRegisteredPool function in ContractsRegisterTrait
3) PoolQuotaKeeperV3.sol#L83: the _pool address could be validated to be an authorized pool by using the _ensureRegisteredPool function in ContractsRegisterTrait.
4) PoolV3.sol#L132: consider reverting if underlyingToken is not a deployed contract (underlyingToken.code.lenght == 0) to prevent unexpected behavior when interacting with such token
5) PoolV3.sol#L124: A check whether the pool is registered in contractsRegister_ could be added. The question is if first we deploy the pool then register it or register first then deploy.
lekhovitsky
Fixes https://github.com/spearbit-audits/review-gearbox/issues/24 (partially)