Welcome to the second part of our Hats Finance summary. In this post, we delve deeper into the issues identified and share some recommendations for other teams. If you’re curious about our overall experience, you can read about it here.
The audit revealed a total of 9 issues, categorized as follows: 5 low-risk and 4 medium-risk. While there were no high or critical vulnerabilities, the insights gained were invaluable, leading to positive changes to our contract logic.
Low-Risk Findings
The low-risk issues primarily involved missing event parameters, potential gas griefing, and other minor cosmetic concerns. While these issues were not critical, they have been addressed to ensure a smoother and more efficient operation of the Metrom platform.
Medium-Risk Findings
The medium-risk issues prompted us to introduce the following changes in the contract’s logic:
Specific Fee Mechanism Update
Issue: The pre-audit version of the Metrom contract included a “specific fee” feature, allowing us to set fees (in parts per million) for certain campaign creator addresses based on the rewards they distributed through Metrom. This feature, however, had the potential to lead to fee uncertainty as highlighted in Issue 33.
Solution: We pivoted to a new implementation using fee rebates. With fee rebates, we can offer discounts on the protocol fee for creating Metrom campaigns. The final fee is now based on a percentage discount relative to the overall global protocol fee, rather than an absolute value set by address, ensuring consistency and clarity.
Reward Token Whitelist Introduction
Issue: Issue 4 highlighted the necessity for a reward token whitelist, as rebasing reward tokens are currently not supported by Metrom.
Solution: We’ve introduced a reward token whitelist to ensure only supported tokens are used, enhancing the reliability and stability of our reward distribution system. We also introduced a minimum rewards rate, enforced on the contract side which basically nullifies DDoS attacks.
Additional Checks for Reward Tokens with Transfer Fees
Issue: Issue 1 pointed out the need for an additional layer of checks to ensure correct accounting when dealing with reward tokens that have fees on transfers.
Solution: We have implemented additional checks to maintain accurate accounting for these tokens, safeguarding the integrity of our reward distribution process.
Challenges and Recommendations
The Hats Finance Audit Competition presented a unique audit style, providing the advantage of more eyes on our code and a higher likelihood of uncovering vulnerabilities.
However, this process was more involved from the developer’s perspective compared to traditional audits, requiring them to classify issues and mediate disputes.
For our first public audit competition, we underestimated the time needed for this. While it wasn’t a significant issue, we recommend future teams account for this additional time in their planning.
We also encountered unnecessary noise from submissions outside the audit’s intended scope. To avoid this, we recommend teams be clear and precise about the scope to save time and effort.
Looking Back
If we were to do it again, being more precise about the audit scope would have greatly enhanced our experience and that of the security researchers, saving us all a lot of time by reducing unnecessary submissions.
This is a key takeaway and a crucial recommendation for any team considering a public audit competition.
Next Steps
We’re gearing up for a public scalability test of our backend with the newly implemented changes, followed by a private Hats Finance audit.
We’re also in talks with 0xCommit to follow up with a secondary audit of our contracts.
Stay tuned to our social channels for updates on these tests and other updates.
About Metrom: Metrom is a user-friendly and efficient liquidity mining platform designed for both campaign creators and liquidity providers, specifically targeting Concentrated Liquidity AMMs (CLAMMs).
Follow us on X (Formerly Twitter)
Join our Telegram group
Visit our landing page