Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Example documentation in AssetSwapPath.configure() , Redundant imports

shafeequllahmd

Summary

The AssetSwapPath.configure() function includes example documentation that explains how assets and swap strategies are structured. However, the example lacks clarity regarding edge cases, such as empty paths or invalid strategies. Additionally, redundant imports in the codebase (e.g., unused dependencies) increase gas costs unnecessarily and clutter the code. While these issues are minor, addressing them demonstrates attention to detail and improves code quality.

Vulnerability Details

1. Example Documentation in AssetSwapPath.configure()

Code Analysis

The configure() function in AssetSwapPath includes the following example:

/// Example: 4 tokens, 3 swaps
/// sUSDe --curve--> USDe --curve--> USDC --UniV3--> WETH
/// assets should be [sUSDe, USDe, USDC]
/// dexSwapStrategyIds should be [3, 3, 1] where "3" is curve swap strategy id and "1" is UniV3

Key Observations

  1. Lack of Edge Case Coverage : The example assumes valid inputs but does not address edge cases, such as:

    • Empty assets or dexSwapStrategyIds arrays.

    • Mismatched lengths between assets and dexSwapStrategyIds.

    • Invalid or unsupported dexSwapStrategyIds.

  2. Ambiguity in Strategy IDs : The example mentions "3" for Curve and "1" for UniV3 but does not clarify whether these IDs are globally unique or context-specific.

Potential Issues

  • Developers relying on this example might implement incorrect configurations, leading to runtime errors or undefined behavior.

  • Missing edge case coverage could result in improper validation during development or testing.

2. Redundant Imports

Code Analysis

The following imports are present in the codebase but may not be fully utilized:

  • File 2 (Collateral) :

    import { Errors } from "@zaros/utils/Errors.sol";
    import { Math } from "@zaros/utils/Math.sol";
    import { MarketMakingEngineConfiguration } from "@zaros/market-making/leaves/MarketMakingEngineConfiguration.sol";

    • MarketMakingEngineConfiguration is imported but not used directly in the Collateral library.

  • File 3 (CreditDelegation) :

    import { SafeCast } from "@openzeppelin/utils/math/SafeCast.sol";

    • SafeCast is imported but only partially used (e.g., .toInt128() and .intoUint128()).

Key Observations

  1. Unused Imports : Imports like MarketMakingEngineConfiguration and potentially others increase gas costs unnecessarily.

  2. Cluttered Codebase : Redundant imports make the code harder to read and maintain.

Potential Issues

  • Increased deployment and runtime gas costs due to unnecessary imports.

  • Confusion for developers who might assume these imports are required for functionality.

Impact

  • Documentation Issue : Lack of clarity in the example documentation could lead to incorrect implementations, causing runtime errors or undefined behavior.

  • Gas Inefficiency : Redundant imports increase deployment and runtime gas costs, which is particularly problematic for smart contracts with limited resources.

  • Code Maintainability : Cluttered codebase reduces readability and increases the risk of future bugs.

Tools Used

  1. Manual Code Review : Analyzed the configure() function's example documentation and identified redundant imports.

  2. Slither : Static analysis tool used to detect unused imports and highlight areas for improvement.

  3. MythX : Security analysis platform used to verify the impact of redundant imports on gas costs.

Recommendations

1. Improve Example Documentation

Enhance the example in AssetSwapPath.configure() to cover edge cases and clarify assumptions:

/// Example: Configuring a swap path for 4 tokens and 3 swaps
/// sUSDe --curve--> USDe --curve--> USDC --UniV3--> WETH
/// assets should be [sUSDe, USDe, USDC]
/// dexSwapStrategyIds should be [3, 3, 1], where:
/// - "3" represents the Curve swap strategy ID.
/// - "1" represents the UniV3 swap strategy ID.
///
/// Edge Cases:
/// - If `assets` or `dexSwapStrategyIds` is empty, the configuration will fail.
/// - Ensure `assets.length == dexSwapStrategyIds.length` to avoid mismatches.
/// - Verify that all `dexSwapStrategyIds` are supported by the system.

2. Remove Redundant Imports

Eliminate unused or unnecessary imports to reduce gas costs and improve code clarity:

  • File 2 (Collateral) : Remove the unused import for MarketMakingEngineConfiguration:

    // Remove this line if not used
    // import { MarketMakingEngineConfiguration } from "@zaros/market-making/leaves/MarketMakingEngineConfiguration.sol";

  • File 3 (CreditDelegation) : Evaluate whether SafeCast is fully utilized. If not, remove it or justify its inclusion.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!