✔️Audits

Introduction

This report presents the findings of the security assessment of the TCV’s smart contract and its code review conducted between August 3st, 2024 – August 5th, 2024.

Project Summary

  • Project Name: TCV

  • Language: Solidity

  • Codebase:

  • Commit: ae25589d391ccef3e034bd92c458d291587c5391

  • Audit method: Static Analysis, Manual Review

  • Scope:

    • contracts/core/TCV.sol

    • contracts/core/abstract/TCVStorage.sol

    • contracts/periphery/TCVRouter.sol

Vulnerability Summary

Severity
# of Findings

Critical

0

Medium

0

Low

1

Informational

1

Findings

ID
Title
Type
Severity

ID-01

Missing zero address validation

Logical Issue

Low

ID-02

Unused function parameters

Coding Style

Informational

Detailed Results

ID-01: Missing zero address validation

Type
Severity
Location

Logical Issue

Low

TCV.sol#307

Logical Issue

Low

TCVRouter.sol#73

Description

Detect missing zero address validation. Transactions can be reverted in unexpected way if functions are called with invalid arguments.

At contracts/core/TCV.sol#307, rebalanceParams_.swap.router.call(rebalanceParams_.swap. payload);is called without validating the rebalanceParams_.swap.router address.

At contracts/periphery/TCVRouter.sol#73, (amount0, amount1, sharesReceived)= resolver .getMintAmounts(ITCV(params_.vault), params_.amount0Max, params_.amount1Max); is called without validating the params.vault address.

Recommendation

Check that the address is not zero.

ID-02: Unused function parameters

Type
Severity
Location

Coding Style

Informational

TCVStorage.sol#356

Description

At TCVStorage.sol#356, the parameters named pool_, lowerTick_, upperTick_ in function _collectFees(IUniswapV3Pool pool, int24 lowerTick_, int24 upperTick_) are unused.

Recommendation

Remove unused parameters.

Appendix

Severity Definitions

Critical

This level vulnerabilities could be exploited easily and can lead to asset loss, data loss, asset, or data manipulation. They should be fixed right away.

Medium

This level vulnerabilities are hard to exploit but very important to fix, they carry an elevated risk of smart contract manipulation, which can lead to critical-risk severity

Low

This level vulnerabilities should be fixed, as they carry an inherent risk of future exploits, and hacks which may or may not impact the smart contract execution.

Informational

This level vulnerabilities can be ignored. They are code style violations and informational statements in the code. They may not affect the smart contract execution.

Finding Categories

Gas Optimization

Gas Optimization findings refer to exhibits that do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction.

Logical Issue

Logical Issue findings are exhibits that detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works.

Inconsistency

Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function.

Coding Style

Coding Style findings usually do not affect the generated byte-code and comment on how to make the codebase more legible and as a result easily maintainable.

Mathematical Operations

Mathematical Operation exhibits entail findings that relate to mishandling of math formulas, such as overflows, incorrect operations etc.

Dead Code

Code that otherwise does not affect the functionality of the codebase and can be safely omitted.

Language Specific

Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of private or delete.

PreviousTutorialNextUser Guide

Last updated