Severity: Low
Context: LiquidStakingManager.sol#L255
Description: Setter functions are missing checks to validate if the new value being set is the same as the current value already set in the contract. Such checks will showcase mismatches between on-chain and off-chain states.
Recommendation: This may hinder detecting discrepancies between on-chain and off-chain states leading to flawed assumptions of on-chain state and protocol behavior.
Severity: Low
Context: LPToken.sol#L32, OwnableSmartWallet.sol#L28, SavETHVault.sol#L45
Description: Lack of zero-address validation on address parameters may lead to transaction reverts, waste gas, require resubmission of transactions and may even force contract redeployments in certain cases within the protocol.
Recommendation: Consider adding explicit zero-address validation on input parameters of address type.
Severity: Low
Context: Syndicate.sol#L168, StakingFundsVault.sol#L56
Description: Several functions update critical parameters that are missing event emission. These should be performed to ensure tracking of changes of such critical parameters.
Recommendation: Consider adding events to functions that change critical parameters.
Severity: Low
Context: OwnableSmartWallet.sol#L148, Syndicate.sol#L352, LiquidStakingManager.sol#L629, SyndicateRewardsProcessor.sol#L98
Description:
Consider emitting an event inside this function with msg.sender and msg.value as the parameters. This would make it easier to track incoming ether transfers.
Recommendation:
Consider adding events to the receive() functions.
Severity Informational
Context: LiquidStakingManager.sol#L158, ETHPoolLPFactory.sol#L28-L29
Description:
The linked variables do not conform to the standard naming convention of Solidity whereby functions and variable names(local and state) utilize the mixedCase format unless variables are declared as constant in which case they utilize the UPPER_CASE_WITH_UNDERSCORES format. Private variables and functions should lead with an _underscore.
Recommendation: Consider naming conventions utilized by the linked statements are adjusted to reflect the correct type of declaration according to the Solidity style guide.
Severity: Informational
Context: SavETHVaultDeployer.sol#L13, StakingFundsVaultDeployer.sol#L13, LPTokenFactory.sol#L15, SyndicateFactory.sol#L48, GiantPoolBase.sol#L22, LSDNFactory.sol#L15, GiantSavETHVaultPool.sol#L66, OwnableSmartWallet.sol#L94, SavETHVault.sol#L25, SavETHVault.sol#L121, GiantMevAndFeesPool.sol#L105, StakingFundsVault.sol#L37, Syndicate.sol#L66, LiquidStakingManager.sol#L90, SyndicateRewardsProcessor.sol#L15, ETHPoolLPFactory.sol#L28-L29
Description: The best-practice layout for a contract should follow the following order: state variables, events, modifiers, constructor and functions. Function ordering helps readers identify which functions they can call and find constructor and fallback functions easier. Functions should be grouped according to their visibility and ordered as: constructor, receive function (if exists), fallback function (if exists), external, public, internal, private. Functions should then further be ordered with view functions coming after the non-view labeled ones.
Recommendation: Consider adopting recommended best-practice for code structure and layout.
Severity: Informational
Context: LPToken.sol#L28, GiantPoolBase.sol#L100-L103, OwnableSmartWallet.sol#L25, SavETHVault.sol#L43, StakingFundsVault.sol#L43, Syndicate.sol#L123, LiquidStakingManager.sol#L166, LiquidStakingManager.sol#L629, SyndicateRewardsProcessor.sol#L98
Description: It's best practice that when there is an empty block, to add a comment in the block explaining why it's empty.
Recommendation:
Consider adding /* Comment on why */ to the empty blocks.
Severity Informational
Context: SavETHVault.sol#L121, StakingFundsVault.sol#L25-L34, Syndicate.sol#L57-L60, ETHPoolLPFactory.sol#L16-L25
Description: Parameters of certain events are expected to be indexed so that they’re included in the block’s bloom filter for faster access. Failure to do so might confuse off-chain tooling looking for such indexed events.
Recommendation: Consider adding the indexed keyword to event parameters that should include it.
Severity: Informational
Context: Syndicate.sol#L195
Description: There should never be any TODOs in the code when deploying.
Recommendation: Consider finishing the TODOs before deploying.
Severity: Informational
Context: OptionalHouseGatekeeper.sol, SavETHVaultDeployer.sol, LPTokenFactory.sol, GiantLP.sol, LPToken.sol, SyndicateFactory.sol, GiantPoolBase.sol, LSDNFactory.sol, GiantSavETHVaultPool.sol, GiantMevAndFeesPool.sol, Syndicate.sol, SyndicateErrors.sol
Description: SPDX license identifier is in the wrong spot in the source file. Before publishing.
Recommendation: Consider moving the "SPDX-License-Identifier: " before the declaration of the pragma version.
Severity: Informational
Context: SavETHVault.sol#L115 (Inconsisent => Inconsistent), SavETHVault.sol#L227 (determins => determines), Syndicate.sol#L356 (publice => public), Syndicate.sol#L490 (amongs => among), Syndicate.sol#L565 (incomming => incoming), Syndicate.sol#L490 (funtion => function), LiquidStakingManager.sol#L51 (trigerringAddress => triggeringAddress), LiquidStakingManager.sol#L101 (admiting => admitting), LiquidStakingManager.sol#L476 (validtor => validator), LiquidStakingManager.sol#L476 (initals => initials), LiquidStakingManager.sol#L920 (customise => customize), ETHPoolLPFactory.sol#L74 (Instane => Instance), ETHPoolLPFactory.sol#L124 (depoistor => depositor), ETHPoolLPFactory.sol#L150 (depoistor => depositor)
Description: Spelling errors in comments can cause confusion to both users and developers.
Recommendation: Consider checking all misspellings to ensure they are corrected.
Severity: Informational
Context: All Contracts
Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.
Recommendation: Consider adding in full NatSpec comments for all functions to have complete code documentation for future use.
Severity: Informational
Context: All Contracts
Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Recommendation: Consider locking the pragma version.
Severity: Informational
Context: All Contracts
Description: Using very old versions of Solidity prevents benefits of bug fixes and newer security checks. Using the latest versions might make contracts susceptible to undiscovered compiler bugs.
Recommendation: Consider using the most recent version.