audit: misc improvements#420
Conversation
There was a problem hiding this comment.
Summary of Changes
Hello @keyleu, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces several improvements and optimizations across the smart contracts. The primary focus is on enabling UUPS upgradeability for the vault contracts, applying gas optimizations by adjusting function visibilities, and making a state variable immutable for better security and efficiency. There are also minor refactorings and a subtle change in how the sender's address is retrieved in certain deposit functions.
Highlights
- Upgradeability (UUPS): I've enabled UUPS (Universal Upgradeable Proxy Standard) upgradeability for
OneWayVault.solandValenceVault.solby adding the__UUPSUpgradeable_init()call in their respective initializer functions. This allows these contracts to be upgraded in the future. - Solidity Visibility Optimizations: I've updated the visibility of several functions from
publictoexternalacrossProcessorBase.solandOneWayVault.sol. This includesaddAuthorizedAddress,removeAuthorizedAddress,initializer,updateConfig,withdraw, andredeem. This is a common gas optimization in Solidity for functions only intended to be called from outside the contract. - Immutability: In
Authorization.sol, I've marked thestoreCallbacksstate variable asimmutable. This ensures its value is set once during construction and cannot be changed, improving security and gas efficiency. - Minor Refactoring and Logic Reordering: I've performed minor refactoring, such as combining variable declarations and assignments for
assetsAfterFeeandfeeinOneWayVault.sol. Additionally, inAuthorization.sol, I've reordered the increment ofexecutionIdto occur before forwarding the message to the processor. - Context Sender Change: In
OneWayVault.sol, I've replaced_msgSender()withmsg.senderin the_depositcalls withindepositanddepositWithFee. While_msgSender()is typically used for proxy compatibility, this change uses the direct caller's address.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a variety of useful improvements to the Solidity contracts, enhancing gas efficiency, security, and code quality. Key changes include using immutable for state variables set at construction, changing function visibility from public to external for gas savings, and fixing a bug by adding the necessary __UUPSUpgradeable_init() call in the vault initializers. The reordering of operations in Authorization.sol to follow the Checks-Effects-Interactions pattern is also a welcome security improvement.
My main feedback concerns the replacement of _msgSender() with msg.sender in the vault contracts. While functionally correct for direct calls, this change removes the built-in support for meta-transactions provided by the OpenZeppelin framework, potentially limiting future extensibility. I've left a couple of suggestions to revert this specific change to maintain consistency and flexibility.
blazeit