HickupHH3
commented
2 years ago In BathToken.initialize, the DOMAIN_SEPARATOR assignment takes as input the name before it is initialized. This means The only thing making each BathToken domain separator different (for the same chain) is the address of the contract.
This is probably fine as each address will be different, but:
Can lead to confusing UX as wallets will need to show an empty name in the wallet's message field for the user to sign. Relying only on the address can make other attack vectors easier to execute (phishing, reinit if the contract is ever used with CREATE2, replaying txes for different tokens, etc.). Recommendation: Assign name before DOMAIN_SEPARATOR.
Judge has assessed an item in Issue #304 as Medium risk. The relevant finding follows: