Omniscia Colony Lab Audit
Staking V1.1 Security Audit
Audit Overview
We were tasked with auditing the Colony Lab codebase and in particular their upgrade-able V2 implementation of their staking mechanism.
Over the course of the audit, we identified several issues in the design as well as implementation of the various components of the system which we advise the Colony Lab team to closely evaluate.
Overall, the codebase redundantly splits the logic among multiple atomic contracts that interact between them thus significantly increasing the complexity of the system. The code itself is relatively inefficient and the gas optimizational findings we identified are not exhaustive.
We strongly advise the Colony Lab to remediate all findings identified in the report and additionally split the storage and logic of the upgrade-able contracts in dedicated files to prevent storage collisions, reverse the 1e18 code change in the Synthetix token with regards to the reward periods, change the language around the migration of stakes from V1 to V2 as only status is migrated, and refactor contract logic using the singleton model instead of multiple contracts that interact between them to minimize the attack surface of the protocol.
Post-Audit Conclusion
The Colony Lab team removed multiple contracts that were in scope from the codebase thereby relocating most of the exhibits identified in the report.
Their team heeded our advise in relation to the singleton model and merged logic into the contracts/StakingV2/StakingV2.sol to significantly minimize the attack surface of the protocol.
All exhibits except for the TimedValuesStorage contract were correctly remediated or in the case of one exhibit nullified by additional material produced by the Colony Lab team.
Overall, the codebase can be considered of a high standard and the code authors have applied all the latest security best practices we recommended rendering the codebase of a high standard.
Contracts Assessed
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 2 | 0 | 0 |
 | 2 | 2 | 0 | 0 |
 | 3 | 1 | 0 | 2 |
 | 9 | 5 | 0 | 4 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 13 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: