Levana Perps Passes Security Audit by FYEO: A Comprehensive Summary of the Audit Report

A link to the full audit report can be found here

Introduction: Levana Foundation recently engaged FYEO Inc. to perform a security assessment of the Levana Protocol. The audit was successfully passed after the Levana team remediated all identified issues. In this blog post, we provide a comprehensive summary of the audit report, highlighting key findings, technical analyses, and recommendations provided by FYEO.

Overview: The security assessment was conducted remotely by FYEO Security Team between March 6 and April 13, 2023. The primary objectives of the assessment were to evaluate Levana’s overall security posture, assess the maturity and adequacy of the security measures in place, identify potential issues, and recommend improvements based on the test results.

Key Findings: Four issues were identified during the testing period, which were subsequently remediated by the Levana team. These issues included:

1. FYEO-LEVANA-01 — Attackers could modify other users’ positions via the trigger order flow.
2. FYEO-LEVANA-02 — Users could remove collateral without impacting notional size.
3. FYEO-LEVANA-03 — Users’ funds could be locked when performing operations that accept native tokens.
4. FYEO-LEVANA-04 — Users incurred additional fees when calling removal updates in the CW20 handler.

Technical Analyses and Findings: The security assessment revealed one critical severity finding, one medium severity finding, and two low severity findings. All of these findings were remediated by the Levana team, and the code was deemed ready for mainnet launch.

General Observations: FYEO commended the Levana team for their well-written documentation, responsive communication, comprehensive invariant checks, and extensive test coverage provided in the multi-test files.

Remediation Recommendations: For each of the identified issues, FYEO provided specific recommendations:

1. FYEO-LEVANA-01: To mitigate this critical vulnerability, FYEO recommended implementing authority checks when setting trigger orders, allowing only the owner of a position to set their own trigger orders.
2. FYEO-LEVANA-02: To address this medium severity issue, FYEO advised incorporating checks to verify notional size changes according to the updates made, preventing users from removing collateral without affecting notional size.
3. FYEO-LEVANA-03: For this low severity issue, the Levana team remediated the problem, ensuring that users’ funds were no longer locked when performing operations that accept native tokens.
4. FYEO-LEVANA-04: To resolve this low severity issue, FYEO recommended encouraging users to avoid using the nested CW20 position update handlers and utilize the alternate path. Additionally, they suggested removing or forcing users to use the path that does not require extra fees.

Conclusion: After successfully addressing all identified issues, Levana Perps received approval from FYEO for its mainnet launch. The security audit demonstrated Levana’s commitment to ensuring a secure and robust protocol for its users, highlighting the effectiveness of its security measures and the team’s responsiveness to addressing potential vulnerabilities.

Next Steps: Levana Perps is gearing up for a mainnet launch in July of 2023. A second audit by a different 3rd party will review the code and another issue report will be created.

Test out the beta of Levana Perps here

Learn how to provide liquidity here

Join our Telegram Community of beta testers Here