✔️Audits

Introduction

This report presents the findings of the security assessment of the TCV’s smart contract and its code review conducted between August 3st, 2024 – August 5th, 2024.

Project Summary

Project Name: TCV
Language: Solidity
Codebase:
Commit: ae25589d391ccef3e034bd92c458d291587c5391
Audit method: Static Analysis, Manual Review
Scope:
- contracts/core/TCV.sol
- contracts/core/abstract/TCVStorage.sol
- contracts/periphery/TCVRouter.sol

Vulnerability Summary

Severity

# of Findings

Findings

Title

Type

Severity

Detailed Results

ID-01: Missing zero address validation

Type

Severity

Location

Description

Detect missing zero address validation. Transactions can be reverted in unexpected way if functions are called with invalid arguments.

At contracts/core/TCV.sol#307, rebalanceParams_.swap.router.call(rebalanceParams_.swap. payload);is called without validating the rebalanceParams_.swap.router address.

At contracts/periphery/TCVRouter.sol#73, (amount0, amount1, sharesReceived)= resolver .getMintAmounts(ITCV(params_.vault), params_.amount0Max, params_.amount1Max); is called without validating the params.vault address.

Recommendation

Check that the address is not zero.

ID-02: Unused function parameters

Type

Severity

Location

Description

At TCVStorage.sol#356, the parameters named pool_, lowerTick_, upperTick_ in function _collectFees(IUniswapV3Pool pool, int24 lowerTick_, int24 upperTick_) are unused.

Recommendation

Remove unused parameters.

Appendix

Severity Definitions

Critical

This level vulnerabilities could be exploited easily and can lead to asset loss, data loss, asset, or data manipulation. They should be fixed right away.

Medium

This level vulnerabilities are hard to exploit but very important to fix, they carry an elevated risk of smart contract manipulation, which can lead to critical-risk severity

Low

This level vulnerabilities should be fixed, as they carry an inherent risk of future exploits, and hacks which may or may not impact the smart contract execution.

Informational

This level vulnerabilities can be ignored. They are code style violations and informational statements in the code. They may not affect the smart contract execution.

Finding Categories

Gas Optimization

Gas Optimization findings refer to exhibits that do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction.

Logical Issue

Logical Issue findings are exhibits that detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works.

Inconsistency

Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function.

Coding Style

Coding Style findings usually do not affect the generated byte-code and comment on how to make the codebase more legible and as a result easily maintainable.

Mathematical Operations

Mathematical Operation exhibits entail findings that relate to mishandling of math formulas, such as overflows, incorrect operations etc.

Dead Code

Code that otherwise does not affect the functionality of the codebase and can be safely omitted.

Language Specific

Language Specific findings are issues that would only arise within Solidity, i.e. incorrect usage of private or delete.

PreviousTutorial

Last updated 2 months ago