Omniscia Impact Market Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Impact Market's code updates for the donation miner, staking, and governance modules.
As the project at hand implements asset staking & governance systems, intricate care was put into ensuring that the flow of funds within the system conforms to the specifications and restrictions laid forth within the protocol's specification and that the governance system cannot be compromised by voting-power attacks.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed some state synchrosity inconsistencies and potentially harmful casting operations within the system which could have had moderate ramifications to its overall operation, however, they were conveyed ahead of time to the Impact Market team to be promptly remediated.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was relatively lackluster in the DonationMinerImplementation and we strongly urge the Impact Market team to expand the in-line documentation in that contract.
A total of 22 findings were identified over the course of the manual review of which 15 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| DMI-01M |  |  | Celo USD Token Discrepancy |
| DMI-02M | |  | Complete Control of Contract Funds |
| DMI-03M | | | Incorrect Estimation Calculations |
| DMI-04M | | | Inexistent Initialization of Reward Periods |
| DMI-05M | | | Inexistent Sanitization of Reward Period Size |
| DMI-06M |  |  | Impossible Conditional Validation |
| DMI-07M | | | Inexplicable Adjustment of Donor's Stake Amount |
| DMI-08M | | | Potential Point of Asset Grievance |
| PAC-01M | | | Absence of Veto Power |
| PAC-02M | | | Complete Control of Contract Funds |
| PAC-03M | | | Significant Degree of Centralization |
| PAC-04M |  | | Potential Compromisation of Governance |
| PAT-01M | | | Potentially Harmful Minimum Delay |
| SIN-01M | | | Potential Denial of Service |
| SIN-02M | | | Unsafe Casting Operations |