v2.3.1-slither-report.md

Slither report

This report was generated with Slither

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results. Summary

• uninitialized-local (1 results) (Medium)
• calls-loop (4 results) (Low)
• timestamp (6 results) (Low)
• costly-loop (2 results) (Informational)
• dead-code (16 results) (Informational)
• solc-version (29 results) (Informational)
• naming-convention (65 results) (Informational)

uninitialized-local

The concerned variable local mostRecent is initialized in the loop

Impact: Medium Confidence: Medium

• ID-0 ERC20SnapshotModuleInternal._findScheduledMostRecentPastSnapshot().mostRecent is a local variable never initialized

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L476

calls-loop

Remark:

• The RuleEngine is a trusted contract deployed by the issuer.

It is not a problem to perform external call to this contract

• When a ruleEngine is created, the issuer has indeed to keep in mind to limit the number of rules.

Impact: Low Confidence: Medium

• ID-0 RuleEngineMock.messageForTransferRestriction(uint8) has external calls inside a loop: _rules[i].messageForTransferRestriction(_restrictionCode)

contracts/mocks/RuleEngine/RuleEngineMock.sol#L74-L88

• ID-1 RuleEngineMock.messageForTransferRestriction(uint8) has external calls inside a loop: _rules[i].canReturnTransferRestrictionCode(_restrictionCode)

contracts/mocks/RuleEngine/RuleEngineMock.sol#L74-L88

• ID-2 ValidationModuleInternal._validateTransfer(address,address,uint256) has external calls inside a loop: ruleEngine.validateTransfer(from,to,amount)

contracts/modules/internal/ValidationModuleInternal.sol#L47-L53

• ID-3 RuleEngineMock.detectTransferRestriction(address,address,uint256) has external calls inside a loop: restriction = _rules[i].detectTransferRestriction(_from,_to,_amount)

contracts/mocks/RuleEngine/RuleEngineMock.sol#L40-L60

timestamp

Remark:

With the Proof of Work, it was possible for a miner to modify the timestamp in a range of about 15 seconds

With the Proof Of Stake, a new block is created every 12 seconds

In all cases, we are not looking for such precision

Impact: Low Confidence: Medium

• ID-4 ERC20SnapshotModuleInternal._rescheduleSnapshot(uint256,uint256) uses timestamp for comparisons Dangerous comparisons:
  • oldTime <= block.timestamp
  • newTime <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L153-L194

• ID-5 ERC20SnapshotModuleInternal._unscheduleSnapshotNotOptimized(uint256) uses timestamp for comparisons Dangerous comparisons:
  • time <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L221-L236

• ID-6 ERC20SnapshotModuleInternal._unscheduleLastSnapshot(uint256) uses timestamp for comparisons Dangerous comparisons:
  • time <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L199-L213

• ID-7 ERC20SnapshotModuleInternal._scheduleSnapshot(uint256) uses timestamp for comparisons Dangerous comparisons:
  • time <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L89-L115

• ID-8 ERC20SnapshotModuleInternal._scheduleSnapshotNotOptimized(uint256) uses timestamp for comparisons Dangerous comparisons:
  • time <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L120-L148

• ID-9 ERC20SnapshotModuleInternal._findScheduledMostRecentPastSnapshot() uses timestamp for comparisons Dangerous comparisons:
  • _scheduledSnapshots[i] <= block.timestamp

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L464-L494

costly-loop

Inside the function, these two operations are not performed inside a loop.

It seems that the only loops which callssetCurrentSnapshotare inside the batch functions(mintBatch, burnBatch, ...) through a call to the function update. At the moment, There is no trivial solution to resolve this.

Impact: Informational Confidence: Medium

• ID-10 ERC20SnapshotModuleInternal._setCurrentSnapshot() has costly operations inside a loop:
  • _currentSnapshotTime = scheduleSnapshotTime

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L410-L419

• ID-11 ERC20SnapshotModuleInternal._setCurrentSnapshot() has costly operations inside a loop:
  • _currentSnapshotIndex = scheduleSnapshotIndex

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L410-L419

dead-code

Remark:

function init:

We have theses dead codes because we follow the same architecture and principle as OpenZeppelin,

For example: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/eb67bf72abb459f9f22fd2a67e8eb87781486042/contracts/access/AccessControlUpgradeable.sol#L82

ID-16- msgData:

• Implemented to be gasless compatible (see MetaTxModule)

• If we remove this function, we will have the following error:

  "Derived contract must override function "_msgData". Two or more base classes define function with same name and parameter types."

Impact: Informational Confidence: Medium

• ID-12 MetaTxModule._msgData() is never used and should be removed

contracts/modules/wrapper/extensions/MetaTxModule.sol#L33-L41

• ID-13 PauseModule.__PauseModule_init(address,uint48) is never used and should be removed

contracts/modules/wrapper/core/PauseModule.sol#L25-L40

• ID-14 ValidationModule.__ValidationModule_init(IEIP1404Wrapper,address,uint48) is never used and should be removed

contracts/modules/wrapper/controller/ValidationModule.sol#L27-L54

• ID-15 ERC20MintModule.__ERC20MintModule_init(string,string,address,uint48) is never used and should be removed

contracts/modules/wrapper/core/ERC20MintModule.sol#L16-L36

• ID-16 CMTAT_BASE._msgData() is never used and should be removed

contracts/modules/CMTAT_BASE.sol#L216-L223

• ID-17 DebtBaseModule.__DebtBaseModule_init(address,uint48) is never used and should be removed

contracts/modules/wrapper/extensions/DebtModule/DebtBaseModule.sol#L58-L75

• ID-18 ERC20BaseModule.__ERC20Module_init(string,string,uint8) is never used and should be removed

contracts/modules/wrapper/core/ERC20BaseModule.sol#L27-L38

• ID-19 CreditEventsModule.__CreditEvents_init(address,uint48) is never used and should be removed

contracts/modules/wrapper/extensions/DebtModule/CreditEventsModule.sol#L25-L42

• ID-20 ERC20BurnModule.__ERC20BurnModule_init(string,string,address,uint48) is never used and should be removed

contracts/modules/wrapper/core/ERC20BurnModule.sol#L15-L35

• ID-21 ValidationModuleInternal.__Validation_init(IEIP1404Wrapper) is never used and should be removed

contracts/modules/internal/ValidationModuleInternal.sol#L28-L33

• ID-22 EnforcementModuleInternal.__Enforcement_init() is never used and should be removed

contracts/modules/internal/EnforcementModuleInternal.sol#L43-L46

• ID-23 ERC20SnapshotModule.__ERC20SnasphotModule_init(string,string,address,uint48) is never used and should be removed

contracts/modules/wrapper/extensions/ERC20SnapshotModule.sol#L19-L43

• ID-24 BaseModule.__Base_init(string,string,string,uint256,address,uint48) is never used and should be removed

contracts/modules/wrapper/core/BaseModule.sol#L39-L59

• ID-25 ERC20SnapshotModuleInternal.__ERC20Snapshot_init(string,string) is never used and should be removed

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L71-L78

• ID-26 EnforcementModule.__EnforcementModule_init(address,uint48) is never used and should be removed

contracts/modules/wrapper/core/EnforcementModule.sol#L25-L42

• ID-27 AuthorizationModule.__AuthorizationModule_init(address,uint48) is never used and should be removed

contracts/modules/security/AuthorizationModule.sol#L29-L42

solc-version

Remark:

The use of the version 0.8.20 is a requirement to update the OpenZeppelin library to the version 5.0.0

Impact: Informational Confidence: High

• ID-28 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/internal/ValidationModuleInternal.sol#L3

• ID-29 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/ERC20BurnModule.sol#L3

• ID-30 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/CMTAT_PROXY.sol#L3

• ID-31 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/CMTAT_BASE.sol#L3

• ID-32 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/libraries/Errors.sol#L3

• ID-33 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/mocks/MinimalForwarderMock.sol#L3

• ID-34 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/security/AuthorizationModule.sol#L3

• ID-35 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L3

• ID-36 solc-0.8.20 is not recommended for deployment

• ID-37 Pragma version^0.8.0 allows old versions

contracts/mocks/RuleEngine/interfaces/IRuleEngine.sol#L3

• ID-38 Pragma version^0.8.0 allows old versions

contracts/interfaces/IEIP1404/IEIP1404.sol#L3

• ID-39 Pragma version^0.8.0 allows old versions

contracts/mocks/RuleEngine/interfaces/IRule.sol#L3

• ID-40 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/internal/EnforcementModuleInternal.sol#L3

• ID-41 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/BaseModule.sol#L3

• ID-42 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/extensions/DebtModule/DebtBaseModule.sol#L3

• ID-43 Pragma version^0.8.0 allows old versions

contracts/interfaces/IDebtGlobal.sol#L3

• ID-44 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/mocks/RuleEngine/RuleMock.sol#L3

• ID-45 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/ERC20MintModule.sol#L3

• ID-46 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/extensions/ERC20SnapshotModule.sol#L3

• ID-47 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/controller/ValidationModule.sol#L3

• ID-48 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/mocks/RuleEngine/CodeList.sol#L3

• ID-49 Pragma version^0.8.0 allows old versions

contracts/interfaces/IEIP1404/IEIP1404Wrapper.sol#L3

• ID-50 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/extensions/DebtModule/CreditEventsModule.sol#L3

• ID-51 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/ERC20BaseModule.sol#L3

• ID-52 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/PauseModule.sol#L3

• ID-53 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/mocks/RuleEngine/RuleEngineMock.sol#L3

• ID-54 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/extensions/MetaTxModule.sol#L3

• ID-55 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/CMTAT_STANDALONE.sol#L3

• ID-56 Pragma version^0.8.20 necessitates a version too recent to be trusted. Consider deploying with 0.8.18.

contracts/modules/wrapper/core/EnforcementModule.sol#L3

naming-convention

Remark:

It is not really necessary to rename all the variables. It will generate a lot of work for a minor improvement.

Impact: Informational Confidence: High

• ID-57 Variable RuleEngineMock._rules is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L14

• ID-58 Function ERC20BurnModule.__ERC20BurnModule_init(string,string,address,uint48) is not in mixedCase

contracts/modules/wrapper/core/ERC20BurnModule.sol#L15-L35

• ID-59 Variable CreditEventsModule.__gap is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/CreditEventsModule.sol#L99

• ID-60 Function EnforcementModuleInternal.__Enforcement_init() is not in mixedCase

contracts/modules/internal/EnforcementModuleInternal.sol#L43-L46

• ID-61 Function AuthorizationModule.__AuthorizationModule_init(address,uint48) is not in mixedCase

contracts/modules/security/AuthorizationModule.sol#L29-L42

• ID-62 Function BaseModule.__Base_init(string,string,string,uint256,address,uint48) is not in mixedCase

contracts/modules/wrapper/core/BaseModule.sol#L39-L59

• ID-63 Enum IEIP1404Wrapper.REJECTED_CODE_BASE is not in CapWords

contracts/interfaces/IEIP1404/IEIP1404Wrapper.sol#L11-L16

• ID-64 Parameter RuleEngineMock.detectTransferRestriction(address,address,uint256)._amount is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L43

• ID-65 Function ValidationModuleInternal.__Validation_init(IEIP1404Wrapper) is not in mixedCase

contracts/modules/internal/ValidationModuleInternal.sol#L28-L33

• ID-66 Function DebtBaseModule.__DebtBaseModule_init(address,uint48) is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/DebtBaseModule.sol#L58-L75

• ID-67 Contract CMTAT_PROXY is not in CapWords

contracts/CMTAT_PROXY.sol#L7-L21

• ID-68 Function ERC20SnapshotModuleInternal.__ERC20Snapshot_init(string,string) is not in mixedCase

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L71-L78

• ID-69 Function PauseModule.__PauseModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/core/PauseModule.sol#L42-L44

• ID-70 Function CreditEventsModule.__CreditEvents_init_unchained() is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/CreditEventsModule.sol#L44-L46

• ID-71 Variable CMTAT_BASE.__gap is not in mixedCase

contracts/modules/CMTAT_BASE.sol#L225

• ID-72 Function EnforcementModuleInternal.__Enforcement_init_unchained() is not in mixedCase

contracts/modules/internal/EnforcementModuleInternal.sol#L48-L50

• ID-73 Variable ValidationModuleInternal.__gap is not in mixedCase

contracts/modules/internal/ValidationModuleInternal.sol#L75

• ID-74 Function ERC20BurnModule.__ERC20BurnModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/core/ERC20BurnModule.sol#L37-L39

• ID-75 Function CreditEventsModule.__CreditEvents_init(address,uint48) is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/CreditEventsModule.sol#L25-L42

• ID-76 Variable BaseModule.__gap is not in mixedCase

contracts/modules/wrapper/core/BaseModule.sol#L115

• ID-77 Variable ValidationModule.__gap is not in mixedCase

contracts/modules/wrapper/controller/ValidationModule.sol#L144

• ID-78 Function ValidationModule.__ValidationModule_init(IEIP1404Wrapper,address,uint48) is not in mixedCase

contracts/modules/wrapper/controller/ValidationModule.sol#L27-L54

• ID-79 Variable EnforcementModule.__gap is not in mixedCase

contracts/modules/wrapper/core/EnforcementModule.sol#L74

• ID-80 Contract CMTAT_STANDALONE is not in CapWords

contracts/CMTAT_STANDALONE.sol#L7-L52

• ID-81 Variable DebtBaseModule.__gap is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/DebtBaseModule.sol#L265

• ID-82 Function PauseModule.__PauseModule_init(address,uint48) is not in mixedCase

contracts/modules/wrapper/core/PauseModule.sol#L25-L40

• ID-83 Function EnforcementModule.__EnforcementModule_init(address,uint48) is not in mixedCase

contracts/modules/wrapper/core/EnforcementModule.sol#L25-L42

• ID-84 Variable AuthorizationModule.__gap is not in mixedCase

contracts/modules/security/AuthorizationModule.sol#L80

• ID-85 Parameter RuleEngineMock.validateTransfer(address,address,uint256)._amount is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L65

• ID-86 Parameter RuleMock.validateTransfer(address,address,uint256)._to is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L14

• ID-87 Function ERC20BaseModule.__ERC20Module_init_unchained(uint8) is not in mixedCase

contracts/modules/wrapper/core/ERC20BaseModule.sol#L40-L44

• ID-88 Variable EnforcementModuleInternal.__gap is not in mixedCase

contracts/modules/internal/EnforcementModuleInternal.sol#L91

• ID-89 Parameter RuleMock.canReturnTransferRestrictionCode(uint8)._restrictionCode is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L35

• ID-90 Parameter RuleEngineMock.validateTransfer(address,address,uint256)._to is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L64

• ID-91 Function BaseModule.__Base_init_unchained(string,string,string,uint256) is not in mixedCase

contracts/modules/wrapper/core/BaseModule.sol#L61-L71

• ID-92 Parameter RuleEngineMock.validateTransfer(address,address,uint256)._from is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L63

• ID-93 Parameter RuleMock.validateTransfer(address,address,uint256)._amount is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L15

• ID-94 Function AuthorizationModule.__AuthorizationModule_init_unchained() is not in mixedCase

contracts/modules/security/AuthorizationModule.sol#L51-L53

• ID-95 Variable PauseModule.__gap is not in mixedCase

contracts/modules/wrapper/core/PauseModule.sol#L100

• ID-96 Function CMTAT_BASE.__CMTAT_init_unchained() is not in mixedCase

contracts/modules/CMTAT_BASE.sol#L147-L149

• ID-97 Variable ERC20SnapshotModule.__gap is not in mixedCase

contracts/modules/wrapper/extensions/ERC20SnapshotModule.sol#L103

• ID-98 Parameter RuleMock.detectTransferRestriction(address,address,uint256)._amount is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L26

• ID-99 Parameter RuleMock.messageForTransferRestriction(uint8)._restrictionCode is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L41

• ID-100 Function ERC20MintModule.__ERC20MintModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/core/ERC20MintModule.sol#L38-L40

• ID-101 Parameter RuleEngineMock.detectTransferRestriction(address,address,uint256)._to is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L42

• ID-102 Variable MetaTxModule.__gap is not in mixedCase

contracts/modules/wrapper/extensions/MetaTxModule.sol#L43

• ID-103 Function ERC20BaseModule.__ERC20Module_init(string,string,uint8) is not in mixedCase

contracts/modules/wrapper/core/ERC20BaseModule.sol#L27-L38

• ID-104 Function ERC20SnapshotModule.__ERC20SnasphotModule_init(string,string,address,uint48) is not in mixedCase

contracts/modules/wrapper/extensions/ERC20SnapshotModule.sol#L19-L43

• ID-105 Variable ERC20BurnModule.__gap is not in mixedCase

contracts/modules/wrapper/core/ERC20BurnModule.sol#L96

• ID-106 Variable ERC20BaseModule.__gap is not in mixedCase

contracts/modules/wrapper/core/ERC20BaseModule.sol#L138

• ID-107 Function ERC20MintModule.__ERC20MintModule_init(string,string,address,uint48) is not in mixedCase

contracts/modules/wrapper/core/ERC20MintModule.sol#L16-L36

• ID-108 Contract CMTAT_BASE is not in CapWords

contracts/modules/CMTAT_BASE.sol#L30-L226

• ID-109 Parameter RuleEngineMock.messageForTransferRestriction(uint8)._restrictionCode is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L75

• ID-110 Variable ERC20MintModule.__gap is not in mixedCase

contracts/modules/wrapper/core/ERC20MintModule.sol#L95

• ID-111 Function CMTAT_BASE.__CMTAT_init(address,uint48,string,string,uint8,string,string,IEIP1404Wrapper,string,uint256) is not in mixedCase

contracts/modules/CMTAT_BASE.sol#L88-L145

• ID-112 Function ValidationModule.__ValidationModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/controller/ValidationModule.sol#L56-L58

• ID-113 Function DebtBaseModule.__DebtBaseModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/extensions/DebtModule/DebtBaseModule.sol#L77-L79

• ID-114 Parameter RuleEngineMock.detectTransferRestriction(address,address,uint256)._from is not in mixedCase

contracts/mocks/RuleEngine/RuleEngineMock.sol#L41

• ID-115 Function ERC20SnapshotModule.__ERC20SnasphotModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/extensions/ERC20SnapshotModule.sol#L45-L47

• ID-116 Function ValidationModuleInternal.__Validation_init_unchained(IEIP1404Wrapper) is not in mixedCase

contracts/modules/internal/ValidationModuleInternal.sol#L35-L42

• ID-117 Variable ERC20SnapshotModuleInternal.__gap is not in mixedCase

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L496

• ID-118 Function EnforcementModule.__EnforcementModule_init_unchained() is not in mixedCase

contracts/modules/wrapper/core/EnforcementModule.sol#L44-L46

• ID-119 Function ERC20SnapshotModuleInternal.__ERC20Snapshot_init_unchained() is not in mixedCase

contracts/modules/internal/ERC20SnapshotModuleInternal.sol#L80-L83

• ID-120 Parameter RuleMock.validateTransfer(address,address,uint256)._from is not in mixedCase

contracts/mocks/RuleEngine/RuleMock.sol#L13

• ID-121 Variable CMTAT_PROXY.__gap is not in mixedCase

contracts/CMTAT_PROXY.sol#L20