Omniscia KlimaDAO Audit
Algorithmic Bonding System Security Audit
We were tasked with performing an audit of the KlimaDAO codebase and in particular their Olympus V1 & V2 inspired bonding implementation as well as their multi-token implementations that support the ecosystem.
The main differentiation from the Olympus DAO implementation is the more granular approach to the bond depositories whereby a contract is independently deployed for each depository that consequently directly interacts and deposits to the treasury before gradually releasing funds to the end-users via a typical vesting schedule.
As an internal note, the audit will not be finalized as long as the codebase retains flattened contracts given that we have identified vulnerabilities in dependencies that are shared across multiple contracts and would lead to a high amount of findings that are duplicated across contracts. We strongly advise the KlimaDAO team to clean up the codebase and use proper inheritence structures.
Over the course of the audit, we identified multiple vulnerabilities some of which were inherited from an unfixed version of the Olympus DAO codebase while others were the result of KlimaDAO's adaptations to the original codebase, such as an incorrect markdown calculation within the new bonding calculator. Furthermore, we identified multiple gas optimizations across the codebase that should be applied given that the code is relatively inefficient.
We advise the KlimaDAO team to remediate all minor-and-above vulnerabilities identified within the report as well as consider and apply our gas optimization findings. We should note that the codebase can be significantly optimized beyond our gas optimization findings as the report cannot contain all potential optimizations that can be made.
On a final note, the codebase appears to not properly test the new features introduced to it by the KlimaDAO team. In order for the codebase to be considered deployment ready, the KlimaDAO team should introduce test cases that test the bare minimum functionalities meant to be supported by the protocol as vulnerabilities such as the markdown calculation would have been caught in such a case prior to the audit.
During the audit, we filtered and validated a total of 9 findings utilizing static analysis tools as well as identified a total of 52 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: