Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Blackwing>Informational findings>Duplicate checks in deployer
GeneralOverview
Findings
Medium (1)
Low (1)
Informational (1)Duplicated check
DiscussionCentralizationFront-run
Threat ModelWhat are threat models?aave_deployer.solvault.solvault_token.sol
Audit ResultsSummary
Category: Code Maturity

Duplicate checks in deployer

Informational Severity
Informational Impact
N/A Likelihood

Description

The BlackwingAaveDeployer contract has two functions, remove() and whitelistAsset(), both of which have duplicate role checking.

  • remove checks for VAULT_ROLE with a modifier and a require

  • whitelistAsset checks for OWNER_ROLE with a modifier and a require 

function whitelistAsset(IERC20 asset, IPoolAddressesProvider pap) public onlyRole(OWNER_ROLE) {
  require(hasRole(OWNER_ROLE, msg.sender), UNAUTHORIZED_ERR);
  // ...
}

function remove(IERC20 asset, uint amount) public onlyRole(VAULT_ROLE) {
  require(hasRole(VAULT_ROLE, msg.sender), UNAUTHORIZED_ERR);
  requireAssetWhitelisted(asset);
  // ...
}

Impact

The redundant checks consume unnecessary gas and diminish the code's readability and overall maturity.

Recommendations

Consider removing the duplicate checks to ensure the role is only checked a single time.

Remediation

This issue has been acknowledged by Ferum Labs, and a fix was implemented in commit d7158213.

The team removed onlyRole(VAULT_ROLE) and used hasRole(VAULT_ROLE, msg.sender).

Zellic © 2025Back to top ↑