code423n4 commented 2 years ago

Lows and Non-criticals

The ITransactionManager intraface's solidity version is pragma solidity 0.8.7;, and the rest of the contracts are pragma solidity ^0.8.7; - this should be consistent.

Missing space in error message in the initializeDiamondCut function of LibDiamond library:

require(_calldata.length == 0, "LibDiamondCut: _init is address(0) but_calldata is not empty");// should be "... but _calldata ..."

Pragmas should be locked to a specific compiler version (instead of ^0.8.7 for example), to avoid contracts getting deployed using a different version, which may have a greater risk of undiscovered bugs.
Unsafe transferOwnership - it will be more safe to use a pattern for transferring the ownership, for example making the new pending owner to accept the ownership. That will make sure that the new owner is an actual existing address and not a self-distructed address or a non-existing address.
Check that the array's lengths given to the initHop function as parameters are equal (can cause errors)
The fallback function of the LiFiDiamond is re-enterable, so it will be a good thing to add a reentrency guard to it (one reentrency guard will lock all the functions of the facets).
In the CBridgeFacet contract you make sure that msg.value >= _cBridgeData.amount, "ERR_INVALID_AMOUNT", but in the other facets you make sure that they are equal. This difference might not be wanted, and you should pay attention to it.

In the comment before the _bridge function it says that the function is public, but it is clearly declared as internal.

/*
* @dev Public view function for the CBridge router address
* @returns the router address
*/
function _bridge() internal view returns (address) {
    Storage storage s = getStorage();
    return s.cBridge;
}