QA Report

[code423n4]

Lack of Zero Address Validation in functions

Severity: Low

Description Although most of the functions throughout the codebase properly validate function inputs, there are some instances of functions that do not. Such as severely initialize() functions that do not check for zero address. They are missing in:

In Collateral.sol there is: initialize() is missing zero address check for _newBaseToken and _newTreasury.

InDepositHook.sol there is: constructor() there are no zero address checks for _newAccessController and _newDepositRecord.

PrePOMarketFactory.sol there is: createMarket() there are no zero address checks for _governance and _newCollateral.

SingleStrategyController.sol there is: setVault() there is no zero address check for _newVault.

WithdrawHook.sol there is: constructor() there is no zero address checks for _newDepositRecord.

Recommendation Add in zero address checks to avoid having to waste gas on a redeploy or brick anything.

Initializations May Be Front-Run

Description Low Contracts using initialize patterns, instead of constructors, may be susceptible to front-running if not properly deployed. Many contracts use initialize pattern, instead of constructors, at deployment to initialize key contract variables. If factory patterns are not used to deploy and initialize such contracts atomically or if deployment scripts are not robust enough to prevent front-running of such initialization then it may lead to security concerns. While most of them use OpenZeppelin’s initializable to enforce single initializations, few of them reimplement this functionality instead of using the OpenZeppelin library.

Contracts that use initialize: In Collateral.sol

Recommendation Use a factory pattern that will deploy and initialize atomically to prevent front-running of the initialization, or ensure the deployment scripts are robust in case of a front-running attack.

[ramenforbreakfast]

Zero address - duplicate of #35 Initializations front-run - duplicate of #4