[L-01] DIFFERENT RESTRICTIONS FOR SOME STATE VARIABLES IN constructor AND SETTERS
Some state variables have different restrictions when setting them in constructor and the corresponding setter functions. It is possible that the values, which can be set in the constructor, cannot be set in the setter functions or vice versa. These inconsistencies can confuse users and developers. For better user experience and maintainability, please consider updating the restrictions for the following state variables to be the same in constructor and the corresponding setter functions.
function setReplenishmentPriceBps(uint newReplenishmentPriceBps_) public onlyOperator {
require(newReplenishmentPriceBps_ > 0, "replenishment price must be over 0");
replenishmentPriceBps = newReplenishmentPriceBps_;
}
replenishmentIncentiveBps's setter function requires that _replenishmentIncentiveBps > 0 && _replenishmentIncentiveBps < 10000 but constructor only requires _replenishmentIncentiveBps < 10000.
liquidationIncentiveBps's setter function requires that _liquidationIncentiveBps + liquidationFeeBps < 10000 but constructor only requires that _liquidationIncentiveBps < 10000.
[L-02] MISSING TWO-STEP PROCEDURES FOR SETTING gov, lender, and pauseGuardian
The following setGov, setLender, and setPauseGuardian functions can be called to set gov, lender, and pauseGuardian. Because these functions do not include a two-step procedure, it is possible to assign these roles to wrong addresses. When this occurs, the functions that are only callable by these roles can become no-ops or be maliciously called. To reduce the potential attack surface, please consider implementing a two-step procedure for assigning each of these roles.
A comment regarding todo indicates that there is an unresolved action item for implementation, which needs to be addressed before the protocol deployment. Please review the todo comment in the following code.
@param repaidDebt Th amount of user user debt to liquidate.
[N-02] CONSTANTS CAN BE USED INSTEAD OF MAGIC NUMBERS
To improve readability and maintainability, constants can be used instead of magic numbers. Please consider replacing the magic numbers, such as 10000, in the following code with constants.
NatSpec comments provide rich code documentation. @param and/or @return comments are missing for the following functions. Please consider completing NatSpec comments for them.
src\Market.sol
226: function createEscrow(address user) internal returns (IEscrow instance) {
245: function getEscrow(address user) internal returns (IEscrow) {
292: function predictEscrow(address user) public view returns (IEscrow predicted) {
312: function getCollateralValue(address user) public view returns (uint) {
323: function getCollateralValueInternal(address user) internal returns (uint) {
334: function getCreditLimit(address user) public view returns (uint) {
344: function getCreditLimitInternal(address user) internal returns (uint) {
353: function getWithdrawalLimitInternal(address user) internal returns (uint) {
370: function getWithdrawalLimit(address user) public view returns (uint) {
src\Oracle.sol
78: function viewPrice(address token, uint collateralFactorBps) external view returns (uint) {
[N-04] MISSING NATSPEC COMMENTS
NatSpec comments provide rich code documentation. NatSpec comments are missing for the following functions. Please consider adding them.
src\DBR.sol
262: function DOMAIN_SEPARATOR() public view virtual returns (bytes32) {
266: function computeDomainSeparator() internal view virtual returns (bytes32) {
src\Market.sol
97: function DOMAIN_SEPARATOR() public view virtual returns (bytes32) {
101: function computeDomainSeparator() internal view virtual returns (bytes32) {
[L-01] DIFFERENT RESTRICTIONS FOR SOME STATE VARIABLES IN
constructor
AND SETTERSSome state variables have different restrictions when setting them in
constructor
and the corresponding setter functions. It is possible that the values, which can be set in theconstructor
, cannot be set in the setter functions or vice versa. These inconsistencies can confuse users and developers. For better user experience and maintainability, please consider updating the restrictions for the following state variables to be the same inconstructor
and the corresponding setter functions.replenishmentPriceBps
's setter function requires thatnewReplenishmentPriceBps_ > 0
butconstructor
does not require that at all. https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L30-L42https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L62-L65
replenishmentIncentiveBps
's setter function requires that_replenishmentIncentiveBps > 0 && _replenishmentIncentiveBps < 10000
butconstructor
only requires_replenishmentIncentiveBps < 10000
.liquidationIncentiveBps
's setter function requires that_liquidationIncentiveBps + liquidationFeeBps < 10000
butconstructor
only requires that_liquidationIncentiveBps < 10000
.https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L61-L90
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L172-L175
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L183-L186
[L-02] MISSING TWO-STEP PROCEDURES FOR SETTING
gov
,lender
, andpauseGuardian
The following
setGov
,setLender
, andsetPauseGuardian
functions can be called to setgov
,lender
, andpauseGuardian
. Because these functions do not include a two-step procedure, it is possible to assign these roles to wrong addresses. When this occurs, the functions that are only callable by these roles can become no-ops or be maliciously called. To reduce the potential attack surface, please consider implementing a two-step procedure for assigning each of these roles.https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L130
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L136
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L142
[L-03] MISSING
address(0)
CHECKS FOR CRITICAL ADDRESS INPUTSTo prevent unintended behaviors, critical addresses inputs should be checked against
address(0)
.Please consider checking
_operator
in the followingconstructor
. https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L30-L42Please consider checking
_gov
,_lender
,_pauseGuardian
, and_escrowImplementation
in the followingconstructor
. https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L61-L90Please consider checking
_operator
in the followingconstructor
. https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L29-L33[L-04] UNRESOLVED TODO COMMENT
A comment regarding todo indicates that there is an unresolved action item for implementation, which needs to be addressed before the protocol deployment. Please review the todo comment in the following code.
https://github.com/code-423n4/2022-10-inverse/blob/main/src/escrows/INVEscrow.sol#L34-L36
[N-01] TYPOS IN COMMENTS
The phrase in the following comment should be "the user" instead of "th user". https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L128
The word in the following comment should be "debt" instead of "deb". https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L129
The phrase in the following comment should be "The amount" instead of "Th amount". https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L589
[N-02] CONSTANTS CAN BE USED INSTEAD OF MAGIC NUMBERS
To improve readability and maintainability, constants can be used instead of magic numbers. Please consider replacing the magic numbers, such as
10000
, in the following code with constants.[N-03] INCOMPLETE NATSPEC COMMENTS
NatSpec comments provide rich code documentation. @param and/or @return comments are missing for the following functions. Please consider completing NatSpec comments for them.
[N-04] MISSING NATSPEC COMMENTS
NatSpec comments provide rich code documentation. NatSpec comments are missing for the following functions. Please consider adding them.