Contracts minor audit by 0xHattoriHanzo

contracts/Distribution.sol

@@ -63,6 +63,9 @@ contract Distribution is IDistribution, OwnableUpgradeable, UUPSUpgradeable {
             createPool(poolsInfo_[i]);
         }
 
+        require(depositToken_ != address(0), "DS: invalid depositToken_ value");
+        require(l1Sender_ != address(0), "DS: invalid l1Sender_ value");
+
         depositToken = depositToken_;
         l1Sender = l1Sender_;
     }
@@ -172,10 +175,10 @@ contract Distribution is IDistribution, OwnableUpgradeable, UUPSUpgradeable {
         userData.rate = currentPoolRate_;
         userData.pendingRewards = 0;
 
+        emit UserClaimed(poolId_, user_, receiver_, pendingRewards_);
+
         // Transfer rewards
         L1Sender(l1Sender).sendMintMessage{value: msg.value}(receiver_, pendingRewards_, user_);
-
-        emit UserClaimed(poolId_, user_, receiver_, pendingRewards_);
     }
 
     function withdraw(uint256 poolId_, uint256 amount_) external poolExists(poolId_) poolPublic(poolId_) {
@@ -257,7 +260,7 @@ contract Distribution is IDistribution, OwnableUpgradeable, UUPSUpgradeable {
             newDeposited_ = deposited_ - amount_;
 
             require(amount_ > 0, "DS: nothing to withdraw");
-            require(newDeposited_ >= pool.minimalStake || newDeposited_ == 0, "DS: invalid withdraw amount");
+            require(newDeposited_ >= pool.minimalStake || newDeposited_ <= 0, "DS: invalid withdraw amount");
         } else {
             newDeposited_ = deposited_ - amount_;
         }

contracts/L1Sender.sol

@@ -46,6 +46,7 @@ contract L1Sender is IL1Sender, OwnableUpgradeable, UUPSUpgradeable {
     }
 
     function setDistribution(address distribution_) public onlyOwner {
+        require(distribution_ != address(0), "L1S: invalid distribution");
         distribution = distribution_;
     }
 
@@ -56,27 +57,27 @@ contract L1Sender is IL1Sender, OwnableUpgradeable, UUPSUpgradeable {
     function setDepositTokenConfig(DepositTokenConfig calldata newConfig_) public onlyOwner {
         require(newConfig_.receiver != address(0), "L1S: invalid receiver");
 
-        DepositTokenConfig storage oldConfig = depositTokenConfig;
+        DepositTokenConfig memory oldConfig = depositTokenConfig;
+
+        depositTokenConfig = newConfig_;
 
         _replaceDepositToken(oldConfig.token, newConfig_.token);
         _replaceDepositTokenGateway(oldConfig.gateway, newConfig_.gateway, oldConfig.token, newConfig_.token);
-
-        depositTokenConfig = newConfig_;
     }
 
     function _replaceDepositToken(address oldToken_, address newToken_) private {
         bool isTokenChanged_ = oldToken_ != newToken_;
 
         if (oldToken_ != address(0) && isTokenChanged_) {
             // Remove allowance from stETH to wstETH
-            IERC20(unwrappedDepositToken).approve(oldToken_, 0);
+            require(IERC20(unwrappedDepositToken).approve(oldToken_, 0), "L1S: remove old token allowance failed");
         }
 
         if (isTokenChanged_) {
             // Get stETH from wstETH
             address unwrappedToken_ = IWStETH(newToken_).stETH();
             // Increase allowance from stETH to wstETH. To exchange stETH for wstETH
-            IERC20(unwrappedToken_).approve(newToken_, type(uint256).max);
+            require(IERC20(unwrappedToken_).approve(newToken_, type(uint256).max), "L1S: new token allowance failed");
 
             unwrappedDepositToken = unwrappedToken_;
         }
@@ -91,11 +92,17 @@ contract L1Sender is IL1Sender, OwnableUpgradeable, UUPSUpgradeable {
         bool isAllowedChanged_ = (oldToken_ != newToken_) || (oldGateway_ != newGateway_);
 
         if (oldGateway_ != address(0) && isAllowedChanged_) {
-            IERC20(oldToken_).approve(IGatewayRouter(oldGateway_).getGateway(oldToken_), 0);
+            require(
+                IERC20(oldToken_).approve(IGatewayRouter(oldGateway_).getGateway(oldToken_), 0),
+                "L1S: remove old gateway allowance failed"
+            );
         }
 
         if (isAllowedChanged_) {
-            IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);
+            require(
+                IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max),
+                "L1S: new gateway allowance failed"
+            );
         }
     }
 

contracts/L2MessageReceiver.sol

@@ -24,6 +24,7 @@ contract L2MessageReceiver is IL2MessageReceiver, OwnableUpgradeable, UUPSUpgrad
     }
 
     function setParams(address rewardToken_, Config calldata config_) external onlyOwner {
+        require(rewardToken_ != address(0), "L2MR: invalid reward token");
         rewardToken = rewardToken_;
         config = config_;
     }
@@ -59,11 +60,11 @@ contract L2MessageReceiver is IL2MessageReceiver, OwnableUpgradeable, UUPSUpgrad
         require(payloadHash_ != bytes32(0), "L2MR: no stored message");
         require(keccak256(payload_) == payloadHash_, "L2MR: invalid payload");
 
-        _nonblockingLzReceive(senderChainId_, senderAndReceiverAddresses_, payload_);
-
         delete failedMessages[senderChainId_][senderAndReceiverAddresses_][nonce_];
 
         emit RetryMessageSuccess(senderChainId_, senderAndReceiverAddresses_, nonce_, payload_);
+
+        _nonblockingLzReceive(senderChainId_, senderAndReceiverAddresses_, payload_);
     }
 
     function _blockingLzReceive(

contracts/L2TokenReceiver.sol

@@ -28,6 +28,9 @@ contract L2TokenReceiver is IL2TokenReceiver, OwnableUpgradeable, UUPSUpgradeabl
         __Ownable_init();
         __UUPSUpgradeable_init();
 
+        require(router_ != address(0), "L2TR: invalid router_ value");
+        require(nonfungiblePositionManager_ != address(0), "L2TR: invalid nonfungiblePositionManager_ value");
+
         router = router_;
         nonfungiblePositionManager = nonfungiblePositionManager_;
 
@@ -144,12 +147,12 @@ contract L2TokenReceiver is IL2TokenReceiver, OwnableUpgradeable, UUPSUpgradeabl
         require(newParams_.tokenIn != address(0), "L2TR: invalid tokenIn");
         require(newParams_.tokenOut != address(0), "L2TR: invalid tokenOut");
 
+        params = newParams_;
+
         TransferHelper.safeApprove(newParams_.tokenIn, router, type(uint256).max);
         TransferHelper.safeApprove(newParams_.tokenIn, nonfungiblePositionManager, type(uint256).max);
 
         TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);
-
-        params = newParams_;
     }
 
     function _authorizeUpgrade(address) internal view override onlyOwner {}