We were tasked with performing a second round audit on the Atomix Lending Protocol by fetch.ai which refactored the functionality of the contracts to be relocated to dedicated contracts as well as revised the debt flow system between the loan liquidator and lending pool to more seamlessly "rebalance" the debt of each component within the system.
We were able to identify multiple inefficiencies in the codebase as well as certain major issues that relate to inexistent access control and unsafe arithmetics which we strongly urge the fetch.ai team to deal with as soon as possible.
Overall, the codebase has been refactored to a great extent and made much more legible, however, we believe there to still be room for improvement especially with regards to the naming conventions utilized across the codebase as well as general structure of the code as most of the static analysis findings we filtered were relating to the uncommon naming conventions used by the Atomix system.
During the audit, we filtered and validated a total of 8 findings utilizing static analysis tools as well as identified a total of 24 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: