Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Chateau>Informational findings>Lack of documentation
GeneralOverview
Findings
Critical (3)
High (1)
Informational (2)Lack of documentationLack of reentrancy protection
DiscussionMultiple variables have typos in their namesAdditional checksStates not updatedUser is not AmericanAdditional concerning areas
Threat ModelWhat are threat models?Share.solStakingPool.solUSDT.solVaultPool.sol
Audit ResultsSummary
Category: Code Maturity

Lack of documentation

Informational Severity
Informational Impact
N/A Likelihood

Description

No code documentation has been provided as of the time of the audited commit. Additional reaffirmation of the mechanisms would help with comprehensibility as well as security sanity checks. For example, the following snippet from StakingPool.sol's swap function:

for (uint i = indexEnd; i > indexStar; i--) { 
    Issue storage issueInfo = issues[i];
    if (issueInfo.isStaking) { 
        if (amountB > 0) {
            if (amountB >= issueInfo.issueAmount) {
                uint amountA = (issueInfo.issueAmount * 10000) / rate;
                amountB -= issueInfo.issueAmount; 
                redeemToekn.safeTransfer(issueInfo.user, amountA);
                issueInfo.isStaking = false; 
            } else { 
                uint amountA = (amountB * 10000) / rate;
                redeemToekn.safeTransfer(issueInfo.user, amountA);
                issueInfo.issueAmount -= amountB;
                amountB = 0;
            }
        } 
    }
}

For the nontechnical user, the above code is not very readable. It is important to add comments to the code to explain the operations and the expected behavior. For example, the following comments could be added to the code:

for (uint i = indexEnd; i > indexStar; i--) { 
    Issue storage issueInfo = issues[i];

+   // Check if the issue is staking
    if (issueInfo.isStaking) { 

+       // Check if there are any tokens to redeem
        if (amountB > 0) {

+           // Check if the amount of tokens to redeem is greater than the issue amount
            if (amountB >= issueInfo.issueAmount) {

+               // Calculate the amount of tokens to redeem
                uint amountA = (issueInfo.issueAmount * 10000) / rate;
                
+               // Transfer the tokens to the user
                amountB -= issueInfo.issueAmount; 
                redeemToekn.safeTransfer(issueInfo.user, amountA);

+               // Mark the issue as not staking
                issueInfo.isStaking = false; 
            } else { 
+               // Calculate the amount of tokens to redeem
                uint amountA = (amountB * 10000) / rate;

+               // Transfer the tokens to the user
                redeemToekn.safeTransfer(issueInfo.user, amountA);
                issueInfo.issueAmount -= amountB;
                
+               // Set the amount of tokens to redeem to 0
                amountB = 0;
            }
        } 
    }
}

Impact

Code maturity is very important in high-assurance projects. Undocumented code may result in developer confusion, potentially leading to future bugs should the code be modified later on.

In general, a lack of documentation impedes the auditors' and external developers' ability to read, understand, and extend the code. The problem is also carried over if the code is ever forked or reused.

Recommendations

We recommend adding more comments to the code in order to explain the operations and the expected behavior. This would help with comprehensibility and would make the code more readable for any users, regardless of their technical background.

Remediation

This issue has been acknowledged by Chateau Capital, and a fix was implemented in commit 0cca694b.

Zellic © 2024Back to top ↑