Omniscia Kanpeki Finance Audit
Core Protocol Security Audit
We were tasked with auditing the codebase of Kanpeki Finance and in particular their fixed-rate lending and borrowing protocol built upon a first-come first-serve (FCFS) principle.
Over the course of the audit we identified certain misbehaviours that can be observed in terms of the actual functionality implemented by the protocol and the expected functionality as detailed by its documentation.
Additionally, we observed a significant level of centralization being applied across the protocol with all assets in custody of the protocol being completely susceptible to a compromisation of the owner role in the contract registry as all vaults perform an infinite approval to the dynamically retrieved addresses from the registry.
With regards to the novel first-come first-serve interest serving component of the system, we pinpointed the absence of a user-set "guard" variable that ensures the user will receive the interest reward they anticipate. Given the inherent FCFS nature of the protocol, the interest bearers will compete for the blockchain's block space to manage and be the first to claim a particular interest batch and as such should be able to specify the minimum interest they are willing to accept as "claimed" for a particular transaction.
We strongly advise the Kanpeki Finance team to apply remediations to all findings we have identified as well as consider our style and gas optimization findings to enhance the codebase's maintainability and legibility. We should note that we believe the system to be overly complex when it comes to the percentage calculations and we urge the Kanpeki Finance team to consider simplifying some of the proportionate calculations to reduce the gas cost of the system as well as render it more readable.
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 26 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: