# Audits

## Introduction

This report presents the findings of the security assessment of the TCV’s smart contract and its code review conducted between August 3st, 2024 – August 5th, 2024.

### Project Summary

* Project Name: TCV
* Language: Solidity
* Codebase:
* Commit: ae25589d391ccef3e034bd92c458d291587c5391
* Audit method: Static Analysis, Manual Review
* Scope:
  * contracts/core/TCV.sol
  * contracts/core/abstract/TCVStorage.sol
  * contracts/periphery/TCVRouter.sol

### Vulnerability Summary

| Severity                                             | # of Findings |
| ---------------------------------------------------- | ------------- |
| <mark style="color:red;">**Critical**</mark>         | 0             |
| <mark style="color:orange;">**Medium**</mark>        | 0             |
| <mark style="color:green;">**Low**</mark>            | 1             |
| <mark style="color:purple;">**Informational**</mark> | 1             |

## Findings

<table><thead><tr><th width="93">ID</th><th width="306">Title</th><th width="166">Type</th><th>Severity</th></tr></thead><tbody><tr><td>ID-01</td><td>Missing zero address validation</td><td>Logical Issue</td><td><mark style="color:green;"><strong>Low</strong></mark></td></tr><tr><td>ID-02</td><td>Unused function parameters</td><td>Coding Style</td><td><mark style="color:purple;"><strong>Informational</strong></mark></td></tr></tbody></table>

## Detailed Results

### ID-01: Missing zero address validation

| Type          | Severity                                  | Location         |
| ------------- | ----------------------------------------- | ---------------- |
| Logical Issue | <mark style="color:green;">**Low**</mark> | TCV.sol#307      |
| Logical Issue | <mark style="color:green;">**Low**</mark> | TCVRouter.sol#73 |

#### Description

Detect missing zero address validation. Transactions can be reverted in unexpected way if functions are called with invalid arguments.&#x20;

At contracts/core/TCV.sol#307, `rebalanceParams_.swap.router.`<mark style="color:purple;">`call`</mark>`(rebalanceParams_.swap. payload);`is called without validating the `rebalanceParams_.swap.router` address.&#x20;

At contracts/periphery/TCVRouter.sol#73, `(amount0, amount1, sharesReceived)= resolver .getMintAmounts(ITCV(params_.vault), params_.amount0Max, params_.amount1Max);` is called without validating the params.vault address.

#### Recommendation

Check that the address is not zero.

### ID-02: Unused function parameters

<table><thead><tr><th width="241">Type</th><th width="232">Severity</th><th>Location</th></tr></thead><tbody><tr><td>Coding Style</td><td><mark style="color:purple;"><strong>Informational</strong></mark></td><td>TCVStorage.sol#356</td></tr></tbody></table>

#### Description

At TCVStorage.sol#356, the parameters named `pool_, lowerTick_, upperTick_` in function `_collectFees(IUniswapV3Pool pool,`` `<mark style="color:blue;">`int24`</mark>` ``lowerTick_,`` `<mark style="color:blue;">`int24`</mark>` ``upperTick_)` are unused.

#### Recommendation

Remove unused parameters.

## Appendix

### Severity Definitions

#### *<mark style="color:red;">Critical</mark>*

This level vulnerabilities could be exploited easily and can lead to asset loss, data loss, asset, or data manipulation. They should be fixed right away.

#### *<mark style="color:orange;">Medium</mark>*

This level vulnerabilities are hard to exploit but very important to fix, they carry an elevated risk of smart contract manipulation, which can lead to critical-risk severity

#### *<mark style="color:green;">Low</mark>*

This level vulnerabilities should be fixed, as they carry an inherent risk of future exploits, and hacks which may or may not impact the smart contract execution.

#### *<mark style="color:purple;">Informational</mark>*

This level vulnerabilities can be ignored. They are code style violations and informational statements in the code. They may not affect the smart contract execution.

### Finding Categories

#### *Gas Optimization*

Gas Optimization findings refer to exhibits that do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction.

#### *Logical Issue*

Logical Issue findings are exhibits that detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works.

#### *Inconsistency*

Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function.

#### *Coding Style*

Coding Style findings usually do not affect the generated byte-code and comment on how to make the codebase more legible and as a result easily maintainable.

#### *Mathematical Operations*

Mathematical Operation exhibits entail findings that relate to mishandling of math formulas, such as overflows, incorrect operations etc.

#### *Dead Code*

Code that otherwise does not affect the functionality of the codebase and can be safely omitted.

#### *Language Specific*

Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of <mark style="color:purple;">**private**</mark> or <mark style="color:purple;">**delete**</mark>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tcvault.xyz/audits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.