You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue tracks the findings from the latest Slither static analysis run. Below are the identified items grouped by severity and type, with action items to review or fix.
β Slither Report Checklist
This issue tracks the findings from the latest Slither static analysis run. Below are the identified items grouped by severity and type, with action items to review or fix.
π₯ Security Critical
[π₯ High] Review
ChatterPay._payPrefund: ETH is sent to arbitrary address (msg.sender) via low-level.call. Confirm that theEntryPointis trusted and this is safe.β³ https://github.com/crytic/slither/wiki/Detector-Documentation#functions-that-send-ether-to-arbitrary-destinations
[π₯ High] Add zero address checks for the following:
ChatterPayPaymaster.constructor:_backendSignerChatterPayPaymaster.execute:destChatterPayWalletFactory.getProxyOwner:proxyβ³ https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation
[π₯ High] Review for possible reentrancy in
ChatterPayWalletFactory.createProxy:new ERC1967Proxy(...)) is made before writing to state (proxies.push(...)) and emitting event.β³ https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-2
β³ https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3
[π§ Medium] Avoid external calls inside loops (gas & DoS risks). Found in:
ChatterPay.initialize:feed.decimals()ChatterPay.executeBatchTokenTransfer:IERC20(token).balanceOf(...)ChatterPay._getTokenPrice:priceFeed.latestRoundData()ChatterPay._calculateFee:IERC20Extended(token).decimals()β³ https://github.com/crytic/slither/wiki/Detector-Documentation/#calls-inside-a-loop
[π§ Medium] Low-level
.callusage detected. Consider replacing with safer alternatives or ensure proper checks:ChatterPay.executeChatterPay._payPrefundChatterPayPaymaster.executeChatterPayPaymaster.withdrawChatterPayWalletFactory.getProxyOwnerβ³ https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls
[π§ Medium] Handle unused return values properly:
ChatterPay._getTokenPrice: ignores return values frompriceFeed.latestRoundData()β³ https://github.com/crytic/slither/wiki/Detector-Documentation#unused-return
[π§ Medium] Consider marking the following variables as
immutable:ChatterPayPaymaster.backendSignerChatterPayPaymaster.entryPointChatterPayPaymaster.ownerChatterPayWalletFactory.paymasterβ³ https://github.com/crytic/slither/wiki/Detector-Documentation#state-variables-that-could-be-declared-immutable
[π§ Medium] Inline assembly detected, verify it's safe and necessary:
ChatterPay.implementationChatterPayWalletFactory.getProxyOwnerAddressβ³ https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage
βοΈ Style & Cleanup
[π¨ Low] Rename parameters and variables to follow
mixedCaseconvention (e.g., avoid_snake_casein parameters like_entryPoint,_owner, etc.)β³ https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions
[π¨ Low] Remove unused variable:
ChatterPay.__gapis declared but not usedβ³ https://github.com/crytic/slither/wiki/Detector-Documentation#unused-state-variable
[π¨ Low] Implement missing interface function:
ChatterPayWalletFactorydoes not implementIChatterPayWalletFactory.owner()β³ https://github.com/crytic/slither/wiki/Detector-Documentation#unimplemented-functions
[βͺ Informational] Reduce cyclomatic complexity in
ChatterPay.initialize(currently at 14)β³ https://github.com/crytic/slither/wiki/Detector-Documentation#cyclomatic-complexity