Omniscia Congruent Audit

CRV Integrated Rewards Security Audit

Audit Overview

We were tasked with auditing the Congruent codebase and in particular their Convex-integrating reward token staking mechanism.

Over the course of the audit, we identified certain potential mis-integrations as well as a major vulnerability in the virtual balance pool that disallows new rewards to ever be set for it.

We advise the Congruent team to evaluate all our exhibits, provide a remediation for each one and additionally consider our optimizational findings to ensure the codebase is of a high standard.

Post-Audit Conclusion

The Congruent team alleviated all exhibits outlined and provided a response for the centralization-related exhibits indicating that they wish to retain control in case an unforeseen update occurs in the Convex codebase that will require some elevated interactions by the contracts.

All other exhibits were adequately dealt with except for the static analysis one as well as the zero-value mints of cCRV which can be safely ignored.

We should note that the changes introduced in the latest commit hash and in particular the Vyper contracts that were newly created should not be considered part of the audit scope.

Contracts Assessed

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
3102
2200
4301
3201

During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 11 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

pie title Total Issues "Major" : 3 "Medium" : 2 "Minor" : 4 "Informational" : 3

The list below covers each segment of the audit in depth and links to the respective chapter of the report: