We were tasked with performing a second round audit of the DAFI Protocol codebase and in particular their synthetic tokens created via a balance snapshotting mechanism.
We were able to pinpoint certain discrepancies in the system that we strongly recommend the DAFI team to remediate to ensure consistency in how their system operates.
Additionally, we were able to pinpoint an unwanted side-effect of the balance snapshotting mechanism. As synthetic tokens are minted out of the current balance of an address, it is possible to exploit this by acquiring a flash-loan and using a disproportionately large balance for the snapshot that would award the user with a higher than normal
dToken balance in contrast to the normal users who simply snapshot their own balances.
The side-effect of this trait was assessed for the system and deemed to be minimal given that the synthetic assets are meant to be experimental and uncollateralized. The DAFI team has, however, set a restriction on minting that ensures flash-loans cannot be utilized thereby addressing this issue entirely.
During the audit, we filtered and validated a total of 7 findings utilizing static analysis tools as well as identified a total of 25 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: