Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • parallax
  • [SCA] Parallax / CLMM / Jan2024
Parallax logo

Parallax

Audit name:

[SCA] Parallax / CLMM / Jan2024

Date:

Apr 9, 2024

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Parallax team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

CLMM (Concentrated Liquidity Management Mechanism) is an asset manager that allows users to provide liquidity to Uniswap V3 pools on behalf of Parallax. Parallax performs auto asset management of users' positions on CLMM with compounding and rebalancing functionality.

titlecontent
PlatformEVM
LanguageSolidity
TagsDEX, Vesting
Timeline12/02/2024 - 12/04/2024
Methodologyhttps://hackenio.cc/sc_methodology

    Review Scope

    Repositoryhttps://bitbucket.ideasoft.io/projects/PAR/repos/clmm
    Commit5f9211e

    Audit Summary

    Total9.7/10
    Security Score

    10/10

    Test Coverage

    93%

    Code Quality Score

    10/10

    Documentation Quality Score

    9/10

    8Total Findings
    8Resolved
    0Accepted
    0Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for Parallax
    Audited ByDavid Camps Novi, Viktor Lavrenenko
    Approved ByPrzemyslaw Swiatowiec
    Websitehttps://parallaxfinance.org/
    Changelog12/04/2024 - Final Report

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for Parallax
      Audited By
      David Camps Novi, Viktor Lavrenenko
      Approved By
      Przemyslaw Swiatowiec
      Website
      https://parallaxfinance.org/
      Changelog
      12/04/2024 - Final Report

    System Overview

    • CLMMBase.sol - the first implementation in the list that includes admin methods, depositing, and withdrawal functionality.

    • CLMMCore.sol - consists of all the storage slots utilized by the protocol to ensure proper storage scheme integrity during upgrades or delegate calls. CLMMCore also extends all the necessary *@openzeppelin* libraries and SwapRouter.

    • CLMMRouter.sol - provides interactive functions such as depositing, withdrawal, compounding, claiming, rebalancing, and admin methods. CLMMRouter is the main proxy contract of the CLMM protocol and holds all the storage set. The functionality of Router is extended with implementations that do not hold any storage. All the storage is delegated by the router contract.

    • CLMMUtils.sol - extends CLMMCore and provides functionality that is utilized across all the entities and prevents functionality replication. Each implementation and Router extend CLMMUtils to ensure single scheme integrity.

    • CLMMVault.sol - the second implementation that includes methods for claiming, compounding, and rebalancing.

    • CLMMVesting.sol - the third implementation that includes all the functionality for the rewards vesting that could be activated if the user claims rewards in a specified token.

    • SwapRouter.sol - provides optimal underlying allocation functionality, calculating the actual ratio to deposit into the liquidity pool.

    • UniswapWrapper.sol - the last implementation that consists of several methods to interact with Uniswap V3 protocol. NOTE: UniswapWrapper does not extend CLMMUtils because it does not utilize any static memory.

    Privileged roles

    • Owner: able to upgrade contracts, add new or to rebalance pools, pause deposits/vesting, set various properties such as compound minimal amounts or implementation addresses. Has also all the rights of User role.

    • User: able to interact with deposit, withdraw, claim functionality.

    Executive Summary

    Documentation quality

    The total Documentation Quality score is 9 out of 10.

    • Functional requirements are limited.

      • Business logic is limited. Main ideas are provided but deeper description is missing.

        • How does each flow work, and what are the expected outputs.

        • What is the upgradeability and project architecture.

        • Missing roles description

    • The technical description is complete.

    Code quality

    The total Code Quality score is 10 out of 10.

    • The development environment is configured.

    • Best practices are followed.

    Test coverage

    Code coverage of the project is 93% (branch coverage).

    • Deployment and basic user interactions are covered with tests.

    • Negative cases coverage is provided.

    Security score

    Upon auditing, the code was found to contain 0 critical, 1 high, 0 medium, and 1 low severity issues, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the customer's smart contract yields an overall score of 9.7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Risks

    Unconventional ERC20 tokens, such as those with fee-on-transfer or deflationary ones, are not planned for use. However, if they are utilized, it could potentially cause the system’s improper functioning.

    The system possesses an upgradeable feature, implying that the owner can upgrade the system by substituting the implementation contract of the CLMMRouter. This introduces the potential risk that subsequent implementations may harbor unforeseen vulnerabilities.

    The system permits the owner to retrieve any trapped ERC20 tokens using the CLMMCore::rescueERC20Token() function. However, there are no constraints on the specific ERC20 tokens that can be withdrawn. This presents a risk, as the owner could potentially withdraw the ERC20 reward tokens intended for vesting, which are sent to the CLMMRouter contract via CLMMRouter::fill() function. This issue is raised in components that haven't been included in the scope and therefore, only shallowly validated.

    The system relies on the secureness of the Owner's private keys, which can impact the execution flow and secureness of the funds. We recommend this account to be at least 3⁄5 multi-sig.

    The owner can change the pool configuration using CLMMRouter::setCompoundConfig() at any time.

    The owner can pause the CLMMRouter contract.

    Several interactions of the system are with out-of-scope contracts (see Risk Statement below).

    Risk Statement

    This audit report focuses exclusively on the security assessment of the contracts within the specified review scope. Interactions with out-of-scope contracts are presumed to be correct and are not examined in this audit. We want to highlight that Interactions with contracts outside the specified scope, such as:

    ./contracts/extensions/UniswapWrapper.sol: IUniswapV3Factory(uniswapV3Pool), ISwapRouter(router), IQuoterV2(quoter).

    ./contracts/core/SwapRouter.sol: CallbackValidation.verifyCallbackCalldata, V3PoolCallee.swap(), V3PoolCallee.wrap(), OptimalSwap.getOptimalSwap().

    ./contracts/core/CLMMVault.sol: positionManager.positions(), positionManager.increaseLiquidity(), positionManager.burn(), positionManager.mint(). IUniswapWrapper(wrapper).getActualRange().

    ./contracts/core/CLMMUtils.sol: positionManager.collect(), positionManager.positions(), positionManager.decreaseLiquidity().

    ./contracts/core/CLMMRouter.sol: positionManager.transferFrom(), positionManager.positions().

    ./contracts/core/CLMMCore.sol: rescueNativeToken(), rescueERC20Token().

    ./contracts/core/CLMMBase.sol: positionManager.positions(), positionManager.transferFrom(), positionManager.mint().

    have not been verified or assessed as part of this report.

    While we have diligently identified and mitigated potential security risks within the defined scope, it is important to note that our assessment is confined to the isolated contracts within this scope. The overall security of the entire system, including external contracts and integrations beyond our audit scope, cannot be guaranteed.

    Users and stakeholders are urged to exercise caution when assessing the security of the broader ecosystem and interactions with external contracts. For a comprehensive evaluation of the entire system, additional audits and assessments outside the scope of this report are necessary.

    This report serves as a snapshot of the security status of the audited contracts within the specified scope at the time of the audit. We strongly recommend ongoing security evaluations and continuous monitoring to maintain and enhance the overall system's security.

    Findings

    Code
    Title
    Status
    Severity
    F-2024-0986Missing Refund In The withdrawERC721Token() Function Leads To Stuck Tokens
    fixed

    High
    F-2024-0981Missing Validation For The Pool Configuration
    fixed

    Low
    F-2024-2073Missing onERC721Received callback violates best practices
    fixed

    Observation
    F-2024-0982Duplicate Code Increases Gas Usage
    fixed

    Observation
    F-2024-0980Missing Condition Allows Users To Claim Their Vested Rewards When The Pool is Not Active
    fixed

    Observation
    F-2024-0977Missing Two-Step Transfer Of Ownership Introduces Risks
    fixed

    Observation
    F-2024-0973Missing Events Emitting For Critical Functions
    fixed

    Observation
    F-2024-0953Missing Storage Gaps
    fixed

    Observation
    1-8 of 8 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://bitbucket.ideasoft.io/projects/PAR/repos/clmm
    Commit5f9211e
    WhitepaperWhitepaper
    RequirementsRequirements
    Technical RequirementsTechnical documentation

    Contracts in Scope

    contracts
    core
    CLMMBase.sol - contracts/core/CLMMBase.sol
    CLMMCore.sol - contracts/core/CLMMCore.sol
    CLMMRouter.sol - contracts/core/CLMMRouter.sol
    CLMMUtils.sol - contracts/core/CLMMUtils.sol
    CLMMVault.sol - contracts/core/CLMMVault.sol
    CLMMVesting.sol - contracts/core/CLMMVesting.sol
    SwapRouter.sol - contracts/core/SwapRouter.sol
    extensions
    UniswapWrapper.sol - contracts/extensions/UniswapWrapper.sol
    interfaces
    ICLMMBase.sol - contracts/interfaces/ICLMMBase.sol
    ICLMMCore.sol - contracts/interfaces/ICLMMCore.sol
    ICLMMMinter.sol - contracts/interfaces/ICLMMMinter.sol
    ICLMMRouter.sol - contracts/interfaces/ICLMMRouter.sol
    ICLMMUtils.sol - contracts/interfaces/ICLMMUtils.sol
    ICLMMVault.sol - contracts/interfaces/ICLMMVault.sol
    ICLMMVesting.sol - contracts/interfaces/ICLMMVesting.sol
    IDecimals.sol - contracts/interfaces/IDecimals.sol
    INonfungiblePositionManager.sol - contracts/interfaces/INonfungiblePositionManager.sol
    ITokensRescuer.sol - contracts/interfaces/ITokensRescuer.sol

    Disclaimer