Lack of documentation
Well-maintained documentation is invaluable for both auditors and new developers when getting familiar with a codebase. A lack of documentation makes it harder to read, understand, and extend the code, while outdated documentation can be just as problematic—creating confusion when it no longer reflects how the code actually works. We found that this project lacked adequate documentation, particularly regarding deployment and setup.
The repository did include flow diagrams, in the form of PUML files, which were helpful in understanding how a bridging transaction should work. However, the documentation for deploying and running the codebase appeared to be significantly outdated. The automated pm2 start script was missing critical steps required for the application to function properly, and these steps were also absent from the repository’s "Getting Started" section. While docker-compose.dev.yaml
included some of the missing steps, it was never referenced in the documentation. As a result, troubleshooting the deployment took considerably more time than necessary—time that could have been saved with up-to-date documentation outlining all the necessary steps to get the application running.
Improving and maintaining clear, up-to-date documentation would greatly benefit both auditors and developers working with the codebase.