# Wintermute Audit Notes **Auditor:** Jake Bunce **Client:** Wintermute https://www.wintermute.com/ https://github.com/wintermute-trading/Winterswap-Contracts-Audit/ **Commit:** `22a07bb9b8433fea9ed744c8d176b92170c18002` ## Whitepaper & specification about the project Whitepaper: https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/README.md Project is a trading platform. ## Review of the protocol/implementation **[1] Unlocked Pragma** **Files Affected:** `contracts/DelayedExecution.sol`, `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol` Default AL text. **[2] Redundant Code** **Files Affected:** `contracts/Winterswap.sol` **Severity: Informational** The library [`SafeMath()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L23) is not required with >= `0.8.0` of Solidity. **Recommendations:** Clarify the intended version of Solidity to use in production and if applicable remove this library from the code base. **[3] ABI Encoder Statement** **Files Affected:** `contracts/DelayedExecution.sol`, `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol` **Severity: Low** Statements for the ABI Encoder version `pragma experimental ABIEncoderV2;` differ between Solidity versions. **Recommendations:** Clarify the intended version of Solidity to use in production and if applicable modify this statement. **[4] Fixed ChainID** **Files Affected:** `contracts/Winterswap.sol`, `contracts/DelayedExecution.sol`, `contracts/StealthDelayedExecution.sol` **Severity: Informational** Deployment of these smart contracts is currently fixed to Ropsten. When these are deployed to mainnet a code change would be required in order to support different Ethereum networks. **Recommendations:** Assign the ChainID as an argument at deploy from the constructor argument rather than being statically defined in code. **[5] Clarify Usage of `ETH_ADD`** **Files Affected:** `contracts/Winterswap.sol` **Severity: Undefined** The [`ETH_ADD`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L55) variable is defined as a black hole address, though this address is used for a conditional check in [`makerTransferFunds()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L131). **Recommendations:** Please clarify the intention behind this variable assignment. **[6] Duplication of Code** **Files Affected:** `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol`, `contracts/DelayedExecution.sol` **Severity: Medium** [`assertValidOrder()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L117) is defined in `Winterswap.sol`, `StealthDelayedExecution.sol`, and `DelayedExecution.sol`. There is a delta between the signature validation check in this implementation. **Recommendations:** Abstract these functions into a library to avoid code duplication. **[7] Clarify Replay Protection** **Files Affected:** `contracts/Winterswap.sol` **Severity: Medium** As there are two implementations of the signature validation for order reply protection, clarification is needed on how this mechanism is expected to work. **Recommendations:** Clarify the mechanism and how it prevents replays. **[8] Unused Code** **Files Affected:** `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol` **Severity: Informational** [`testOrder()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L112) is not called by any other functions in this project and there are no docstrings to clarify the intention behind the implementation. Same applies to [`testHashQuote()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/StealthDelayedExecution.sol#L124) and [`testHashQuote2()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/StealthDelayedExecution.sol#L128). **Recommendations:** Remove the code if it is not required or document the intention behind the implementation of the public function. ## Best Practices **[1] Project is lacking docstrings to describe function behaviour** **[2] Linter errors** ``` Winterswap.sol 52:2 error Line length must be no more than 120 but current length is 129 max-line-length 66:2 error Line length must be no more than 120 but current length is 163 max-line-length 154:2 error Line length must be no more than 120 but current length is 135 max-line-length StealthDelayedExecution.sol 53:2 error Line length must be no more than 120 but current length is 129 max-line-length 77:2 error Line length must be no more than 120 but current length is 173 max-line-length 183:2 error Line length must be no more than 120 but current length is 141 max-line-length 189:2 error Line length must be no more than 120 but current length is 145 max-line-length 203:2 error Line length must be no more than 120 but current length is 126 max-line-length DelayedExecution.sol 53:2 error Line length must be no more than 120 but current length is 129 max-line-length 79:2 error Line length must be no more than 120 but current length is 185 max-line-length 173:2 error Line length must be no more than 120 but current length is 167 max-line-length 192:2 error Line length must be no more than 120 but current length is 130 max-line-length 197:2 error Line length must be no more than 120 but current length is 206 max-line-length 214:2 error Line length must be no more than 120 but current length is 132 max-line-length 218:2 error Line length must be no more than 120 but current length is 227 max-line-length ✖ 15 problems (15 errors, 0 warnings) ```