Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Synthereum>Informational findings>Lack of validation
GeneralOverview
Findings
Medium (1)
Low (2)
Informational (1)Lack of validation
DiscussionLimited controlDocumentationCode maturityClient response
Audit ResultsSummary
Category: Business Logic

Lack of validation

Informational Severity
Informational Impact
N/A Likelihood

There are several areas lacking validation checks including zero checks, non-zero address checks, and so forth

Below are the listings of each area missing a check:

  • AaveV3.sol, deposit/withdraw - check that the moneyMarket argument is not zero or that it is valid

  • LendingManager.sol, batchBuyback - check that getCollateralSwapModule returns a non-zero value

  • LendingManager.sol, collateralToInterestToken/InterestToCollateralToken - verify the existence of the pool by checking pool.lendingModuleId

  • LendingStorageManager.sol, updateValues - verify the existence of the pool by checking poolData.lendingModuleId

  • MultiLpLiquidityPool.sol, _setLendingModule - verify that the lendingModuleId is not 0 and change the type of lendingModuleId to accurately reflect the poolStorage type, which is bytes32

We also noted that there are several areas where arithemitc operations are not checked and are caught by underflow/overflow reverts, resulting in unclear reverts without error messages. For example,

  • LendingManager.sol, claimCommission - check that interestTokenAmount is greater than or equal to poolData.unclaimedDaoCommission + interestSplit.commissionInterest

  • LendingManager.sol, batchBuyback - add a check if the interestTokenAmount is greater than the poolData.unclaimedDaoJRT + interestSplit.jrtInterest

  • MultiLpLiquidity.sol, _updateAndDecreaseActualLPCollateral - check that actualCollateralAmount is greater than _decreaseCollateral

Impact

Code maturity is very important in high-assurance projects. Checks help safeguard against unfortunate situations that might occur, help reduce the risk of lost funds and frozen protocols, and improve UX. Adding extra reverts can help clarify the internal mechanisms and reduce potential bugs that future developers might introduce while building on this project.

Recommendations

We recommend adding the requisite checks/reverts to the areas above or adding documentation to clarify reverts.

Remediation

The Jarvis team has acknowledged the lack of validation checks in certain contracts and have indicated their intention to add validation checks where they agree are necessary. Any validation checks not added will be documented in both the smart contract code comments and the official Jarvis documentation.

Zellic © 2024Back to top ↑