- Hacken
- Audits
- arbitrove-protocol
- [SCA] Arbitrove Protocol | Oracle | Apr2023
Introduction
We express our gratitude to the Arbitrove Protocol team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Arbitrove Protocol is a yield-bearing index protocol that allows people to one-click mint an index that gives exposure to a batch of strategies consisting of yield-bearing assets.
| title | content |
|---|---|
| Platform | EVM, Arbitrum One, Arbitrum Nova |
| Language | Solidity, Vyper |
| Tags | Index Protocol |
| Timeline | 01/04/2023 - 31/05/2023 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/nitroarthur/arbitrove-smart-contracts/→ |
| Commit | 3bb9ee7 |
Review Scope
- Commit
- 3bb9ee7
Audit Summary
10/10
100%
10/10
8/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Arbitrove Protocol |
| Audited By | Hacken |
| Website | https://nitrocartel.finance/→ |
| Changelog | 04/04/2023 - Initial Review |
| 03/05/2023 - Second Review | |
| 31/05/2023 - Third Review |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Arbitrove Protocol
- Audited By
- Hacken
- Changelog
- 04/04/2023 - Initial Review
- 03/05/2023 - Second Review
- 31/05/2023 - Third Review
System Overview
Arbitrove Protocol is a yield-bearing index protocol that allows people to one-click mint an index that gives exposure to a batch of strategies consisting of yield-bearing assets. Unlike traditional index protocols that only hold tokens, Arbitrove Protocol dynamically deploys capital to strategies.
The contracts in scope are:
Router.vy - entry point for users to interact with the Vault.
Vault.sol - facilitates the deposit and withdrawal of funds, and helps manage assets across different strategies. Interactions with this contract are sent through the Router.
AddressRegistry.sol - manages the mapping of strategies to supported coins.
FeeOracle.sol - implements a fee oracle that provides deposit and withdrawal fees to be used by the Vault contract. The fees are based on the current weight of a coin in the Vault compared to its target weight.
Privileged roles
Router: it is the entry point for users to interact with the Vault.
DarkOracle: oracle used in Router to get price and input parameters, as well as having access control privileges to some functions.
Owner: set in the initialization functions of the contracts. Has admin privileges to update management state variables.
User: can interact with the system to deposit funds in exchange of an interest-bearing indexed token, and vice-versa.
Recommendations
Increase test coverage to 100%.
Provide documentation (or code) for dark oracle (and strategies, if possible).
Use multi-signature ⅗ wallets for all privileged roles in the system.
Update public documentation about all privileged roles and their functions, and their impact on the protocol. Describe the rebalancing mechanism and the approval process for the strategy.
Executive Summary
Documentation quality
The total Documentation quality score is 8 out of 10.
Functional requirements provided.
Technical documentation is provided but limited.
Code quality
The total Code quality score is 10 out of 10.
The development environment is configured.
Small style guide violations.
Test coverage
Code coverage of the project is 100% (branch coverage).
Security score
Upon auditing, the code was found to contain 2 critical, 9 high, 27 medium, and 22 low severity issues. Out of these, 58 issues have been addressed and resolved, leading to a Security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 9.8. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
The system is highly centralized; each privilege role, if compromised, can lead to a loss of user funds.
The Dark Oracle role used to provide token prices in Router.vy is highly privileged; all systems behind this role are not part of this audit. There are no guarantees that said oracle behaves as expected and provided tokens prices in the processMintRequest() and processBurnRequest() functions will be correct.
Many of the key elements of the system (vault, oracles, strategies) can be changed by the owner at any time.
Strategies and tokens used by the protocol cannot be validated, as they are outside the scope of the audit.
In the case of a Dark Oracle account compromise, an attacker could interact with the router and provide incorrect token prices.
The function getAmountAcrossStrategies() in Vault.sol calls the method getComponentAmount(), which is outside the audit scope. The method may change in the future, as every new implemented strategy can have a different getComponentAmount() function. It is not possible to verify the logic of that call and its potential vulnerabilities.
There is no valid on-chain mechanism for rebalancing the funds. There is only a rebalance() owner function to retrieve funds from the contract.
The system integrates a Rebalancer contract, which is out of the audit scope.
There is no withdrawal mechanism from the strategies, and the flow of funds is unknown after the approval of funds passed to the strategy. It may be the case that there are no funds in the Vault to perform the withdraw() function.
The fee in the Router and FeeOracle contracts is limited not to be bigger than the 50%, which is still big enough value.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2023-0470 | Access Control Violation | fixed | Critical | |
| F-2023-0469 | Data Consistency | fixed | Critical | |
| F-2023-0479 | Invalid Calculations; Requirements Violation | fixed | High | |
| F-2023-0478 | Highly Permissive Role; Assets Integrity | mitigated | High | |
| F-2023-0477 | Data Consistency; Highly Permissive Role | mitigated | High | |
| F-2023-0476 | Data Consistency; Race Condition | fixed | High | |
| F-2023-0475 | Data Consistency | fixed | High | |
| F-2023-0474 | Highly Permissive Role; Assets Integrity | fixed | High | |
| F-2023-0473 | Highly Permissive Role; Data Consistency | fixed | High | |
| F-2023-0472 | Denial of Service | fixed | High |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/nitroarthur/arbitrove-smart-contracts/→ |
| Commit | 3bb9ee7 |
| Whitepaper | Not Provided |
| Requirements | Provided |
| Technical Requirements | Provided |
Scope Details
- Commit
- 3bb9ee7
- Whitepaper
- Not Provided
- Requirements
- Provided
- Technical Requirements
- Provided