Open code423n4 opened 2 years ago
Unbounded loop on array can lead to DoS
I aknowledged else where.
Most of the other set protocol related issues are out of scope and the issue The pragmas used are not the same everywhere
is not applicable since the fCashWrapper and the NotionalTradeModule are separately deployed modules from totally separate codebases.
Unsafe casting may overflow
SafeMath and Solidity 0.8.* handles overflows for basic math operations but not for casting. Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows when casting from uint256 here:
Notice that a solution has been coded here:
A similar solution would be enough.
Missing address(0) checks
In the constructors, the solution never checks for
address(0)
when setting the value of immutable variables. I suggest adding those checks.List of immutable variables:
Unbounded loop on array can lead to DoS
As these arrays can grow quite large (only
push
operations, nopop
), the transaction's gas cost could exceed the block gas limit and make it impossible to call the impacted functions at all.Consider introducing a reasonable upper limit based on block gas limits and adding a method to remove elements in the array.
Lack of event emission after critical
initialize()
functionsTo record the init parameters for off-chain monitoring and transparency reasons, please consider emitting an event after the
initialize()
functions:Add a timelock to critical functions
It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate (less risk of a malicious owner making a sandwich attack on a user).
Consider adding a timelock to:
Use a more recent version of solidity to get
string.concat()
(0.8.12
vs0.8.11
)Use a solidity version of at least 0.8.12 to get
string.concat()
to be used instead ofabi.encodePacked(<str>,<str>)
Several functions are declaring named returns but then are using return statements. I suggest choosing only one for readability reasons. Details below
While not consuming more gas with the Optimizer enabled: using both named returns and a return statement isn't necessary. Removing one of those can improve code clarity:
The pragmas used are not the same everywhere
Avoid floating pragmas: the version should be locked