Omniscia DAFI Audit

Super Staking Implementation Security Audit

We were tasked with auditing the codebase of DAFI and in particular their dDAFI implementation, a speculative staking implementation whereby users are rewarded based on the underlying network performance of the token being utilized by the system, in the case of dDAFI being DAFI.

The network performance is measured by a combination of the token's oracle-based price as well as TVL. The latter remains un-implemented in the codebase and is instead manually updated.

We were able to identify a major flaw in the access control imposed within the staking implementation as well as two medium level flaws in the way the oracle price is validated as well as the order of operations for the fraction-based math is conducted within the network performance calculation.

Additionally, we analyzed the system from an economical perspective ensuring that it conforms to a set of rules shared to us by DAFI. The dDAFI system follows a linear distribution model whereby the distributed amount of a user is calculated based on the accumulated weight difference between each rebase operation for a particular account.

We have observed multiple redundancies in the codebase, such as the value 100000000 being read across contracts from storage instead of stored as a constant, and ill-advised patterns, such as mishandling of return values, rendering the codebase unnecessarily convoluted and complex.

Our professional assessment is that the codebase should be refactored, fixing the issues identified by the report and refactoring the code to ensure that it operates in a straightforward and gas-optimal way.

Files in ScopeRepositoryCommit(s)
ITVLFeeds.sol (ITV)dDAFId08c795cdf,
f27cb12b98
IPriceFeeds.sol (IPF)dDAFId08c795cdf,
f27cb12b98
IRebaseEngine.sol (IRE)dDAFId08c795cdf,
f27cb12b98
INetworkDemand.sol (IND)dDAFId08c795cdf,
f27cb12b98
IStakingManager.sol (ISM)dDAFId08c795cdf,
f27cb12b98
[NetworkDemand.sol (NDD)](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/NetworkDemand.sol)dDAFI[d08c795cdf](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/network demand/NetworkDemand.sol),
[f27cb12b98](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/NetworkDemand.sol)
[PriceFeeds.sol (PFS)](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/PriceFeeds.sol)dDAFI[d08c795cdf](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/network demand/PriceFeeds.sol),
[f27cb12b98](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/PriceFeeds.sol)
[RebaseEngine.sol (REE)](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/rebase engine/RebaseEngine.sol)dDAFI[d08c795cdf](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/rebase engine/RebaseEngine.sol),
[f27cb12b98](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/rebase engine/RebaseEngine.sol)
StakingDatabase.sol (SDE)dDAFId08c795cdf,
f27cb12b98
StakingManagerV1.sol (SMV)dDAFId08c795cdf,
f27cb12b98
[TVLFeeds.sol (TVL)](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/TVLFeeds.sol)dDAFI[d08c795cdf](https://github.com/DAFIProtocol/dDAFI/blob/d08c795cdf3455616f403d1468e02ec234ab01ef/contracts/network demand/TVLFeeds.sol),
[f27cb12b98](https://github.com/DAFIProtocol/dDAFI/blob/f27cb12b98a23474f77cff86cc3bd057ee8ca562/contracts/network demand/TVLFeeds.sol)
TokenPool.sol (TPL)dDAFId08c795cdf,
f27cb12b98

During the audit, we filtered and validated a total of 0 findings utilizing static analysis tools as well as identified a total of 33 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report: