# Wintermute Audit Notes
**Auditor:** Jake Bunce
**Client:** Wintermute https://www.wintermute.com/
https://github.com/wintermute-trading/Winterswap-Contracts-Audit/
**Commit:** `22a07bb9b8433fea9ed744c8d176b92170c18002`
## Whitepaper & specification about the project
Whitepaper: https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/README.md
Project is a trading platform.
## Review of the protocol/implementation
**[1] Unlocked Pragma**
**Files Affected:** `contracts/DelayedExecution.sol`, `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol`
Default AL text.
**[2] Redundant Code**
**Files Affected:** `contracts/Winterswap.sol`
**Severity: Informational**
The library [`SafeMath()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L23) is not required with >= `0.8.0` of Solidity.
**Recommendations:**
Clarify the intended version of Solidity to use in production and if applicable remove this library from the code base.
**[3] ABI Encoder Statement**
**Files Affected:** `contracts/DelayedExecution.sol`, `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol`
**Severity: Low**
Statements for the ABI Encoder version `pragma experimental ABIEncoderV2;` differ between Solidity versions.
**Recommendations:**
Clarify the intended version of Solidity to use in production and if applicable modify this statement.
**[4] Fixed ChainID**
**Files Affected:** `contracts/Winterswap.sol`, `contracts/DelayedExecution.sol`, `contracts/StealthDelayedExecution.sol`
**Severity: Informational**
Deployment of these smart contracts is currently fixed to Ropsten. When these are deployed to mainnet a code change would be required in order to support different Ethereum networks.
**Recommendations:**
Assign the ChainID as an argument at deploy from the constructor argument rather than being statically defined in code.
**[5] Clarify Usage of `ETH_ADD`**
**Files Affected:** `contracts/Winterswap.sol`
**Severity: Undefined**
The [`ETH_ADD`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L55) variable is defined as a black hole address, though this address is used for a conditional check in [`makerTransferFunds()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L131).
**Recommendations:**
Please clarify the intention behind this variable assignment.
**[6] Duplication of Code**
**Files Affected:** `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol`, `contracts/DelayedExecution.sol`
**Severity: Medium**
[`assertValidOrder()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L117) is defined in `Winterswap.sol`, `StealthDelayedExecution.sol`, and `DelayedExecution.sol`. There is a delta between the signature validation check in this implementation.
**Recommendations:**
Abstract these functions into a library to avoid code duplication.
**[7] Clarify Replay Protection**
**Files Affected:** `contracts/Winterswap.sol`
**Severity: Medium**
As there are two implementations of the signature validation for order reply protection, clarification is needed on how this mechanism is expected to work.
**Recommendations:**
Clarify the mechanism and how it prevents replays.
**[8] Unused Code**
**Files Affected:** `contracts/Winterswap.sol`, `contracts/StealthDelayedExecution.sol`
**Severity: Informational**
[`testOrder()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/Winterswap.sol#L112) is not called by any other functions in this project and there are no docstrings to clarify the intention behind the implementation.
Same applies to [`testHashQuote()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/StealthDelayedExecution.sol#L124) and [`testHashQuote2()`](https://github.com/wintermute-trading/Winterswap-Contracts-Audit/blob/22a07bb9b8433fea9ed744c8d176b92170c18002/contracts/StealthDelayedExecution.sol#L128).
**Recommendations:**
Remove the code if it is not required or document the intention behind the implementation of the public function.
## Best Practices
**[1] Project is lacking docstrings to describe function behaviour**
**[2] Linter errors**
```
Winterswap.sol
52:2 error Line length must be no more than 120 but current length is 129 max-line-length
66:2 error Line length must be no more than 120 but current length is 163 max-line-length
154:2 error Line length must be no more than 120 but current length is 135 max-line-length
StealthDelayedExecution.sol
53:2 error Line length must be no more than 120 but current length is 129 max-line-length
77:2 error Line length must be no more than 120 but current length is 173 max-line-length
183:2 error Line length must be no more than 120 but current length is 141 max-line-length
189:2 error Line length must be no more than 120 but current length is 145 max-line-length
203:2 error Line length must be no more than 120 but current length is 126 max-line-length
DelayedExecution.sol
53:2 error Line length must be no more than 120 but current length is 129 max-line-length
79:2 error Line length must be no more than 120 but current length is 185 max-line-length
173:2 error Line length must be no more than 120 but current length is 167 max-line-length
192:2 error Line length must be no more than 120 but current length is 130 max-line-length
197:2 error Line length must be no more than 120 but current length is 206 max-line-length
214:2 error Line length must be no more than 120 but current length is 132 max-line-length
218:2 error Line length must be no more than 120 but current length is 227 max-line-length
✖ 15 problems (15 errors, 0 warnings)
```