NAOS Formation Audit Review & Bounty Program Launch
NAOS Finance engaged Quantstamp to perform a security audit for Formation smart contracts. The commit hash of audited code was taken from our Github repositories:
- Audit: 19f4967bc36724296c6755af2c19dab6215786a8
- Re-Audit: c125272892094d9e7b49e1e85b59161bb300de8a
The audit was completed with no high risk issue, 3 medium risk issues, 5 low risk issues, 7 informational risk issues and 1 undetermined risk issue. Of the 16 total findings, we have resolved 13 issues and acknowledged 3 issues.
Possible issues we looked for included (but are not limited to):
- Transaction-ordering dependence
- Timestamp dependence
- Mishandled exceptions and call stack limits
- Unsafe external calls, Integer overflow/underflow
- Reentrancy and cross-function vulnerabilities
- Denial of services / logical oversights / number rounding errors
- Centralization of power, access control
- Business logic contradicting the specification
- Code clones, functionality duplication, gas usage, arbitrary token minting
Here we’ll discuss all 3 medium risk issues and the 2 acknowledged issues:
#1 Possible to migrate to the same adapter (Medium Risk / Mitigated)
Issue Description:
Using migrate() function to invoke _updateActiveVault() may add the same adapter multiple times. This would cause accounting errors between Formation and the adapter. While the migrate() function is limited to the governance, checks should be in place to prevent incorrect behaviour.
NAOS Action:
A relevant requirement statement is added to check if the new adapter is the same as the previous adapter, if so, the transaction will be reverted.
#2 Unchecked Return Value (Medium Risk / Acknowledged)
Issue Description:
Most functions will return a true or false value upon success. Some functions, like send(), are more crucial to check than others. It’s important to ensure that every relevant function is checked.
NAOS Action:
Return value from yearn is not a simple boolean value, therefore we’re unable to make a clear cut decision based on the response. Emergency mode can be set to stop the depositing.
#3 Oracle price could be stale (Medium Risk / Fixed)
Issue Description:
The Chainlink deprecated API latestAnswer() is used to fetch the price and may be outdated.
NAOS Action:
We replace the Chainlink deprecated API latestAnswer() with latestRoundDate(). A maximum tolerable delay time is added to ensure the oracle works normally.
#4 Privileged roles and ownership (Low Risk / Acknowledged)
Issue Description:
The governance of the system holds a significant amount of power.
NAOS Action:
After deployment, the governance role will be transferred to the NAOS multisig account which consists of NAOS core team members and trusted community members. The setting of the protocol will follow the decision of the NAOS governance process.
#5 Economic attack vector exists due to flush() (Informational Risk / Acknowledged)
Issue Description:
As the “flush” function pushes the funds from Formation to the underlying vault, this forces an exchange of assets from underlying token to the external vault’s share token.
NAOS Action:
To address this issue, we’d choose the DeFi project(s) carefully as the underlying vault. Also, the sentinel could set emergency mode to stop the depositing.
Next Steps
Overall, we believe the Formation smart contract is technically robust and sound. That being said, we’ll continue to make the safety of the product our top priority above all else. We’re planning to engage other auditors to evaluate the smart contract in the near future, additionally, we’ll take a “continuous audit” approach by working closely with white hat consultants and officially launching the bounty program today! More information here:
Docs: https://naosfinance.gitbook.io/naos-finance/
Github: https://github.com/NAOS-Finance
Audit Report: https://certificate.quantstamp.com/full/naos-formation
Bounty Program: https://immunefi.com/bounty/naos/
About Quantstamp
Quantstamp is the leader in blockchain security, having performed over 200 audits and secured over $100 billion in value. Quantstamp services include securing Layer 1 blockchains, smart contract powered NFT and DeFi applications.
Quantstamp has performed audits for Maker, Curve, Sushi, Compound, Polygon, KeepDAO, Flow, Avalanche, Cardano, NEAR, Conflux, NBA Top Shot, SuperRare among others.
About NAOS Finance
NAOS Finance is a DeFi lending protocol allowing lenders and SME borrowers to facilitate permission-less and borderless loaning/borrowing transactions on the blockchain. Built on Ethereum, our platform lets users tokenize real-world assets and subsequent lending.
We operate compliantly and legally in top markets around the globe, maintaining safety as a top priority and fostering enhanced trust in the lending/borrowing process.
Website | Whitepaper | Telegram Announcements Channel | Telegram Community | Twitter
