Omniscia KlimaDAO Audit
KlimaLPBonds_v4 Manual Review Findings
KlimaLPBonds_v4 Manual Review Findings
KLB-01M: Improper Consistency of Vesting Term
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Medium | KlimaLPBonds_v4.sol:L750, L855 |
Description:
The vestingTerm of the system is adjustable at will by the policy, however, it can be both increased and decreased from its previous value. This can lead to discrepancies in the vesting system applied to each bond by deposit and cause the tokenomics of the system to fail.
Example:
742/**743 * @notice set parameters for new bonds744 * @param _parameter PARAMETER745 * @param _input uint746 */747function setBondTerms ( PARAMETER _parameter, uint _input ) external onlyPolicy() {748 if ( _parameter == PARAMETER.VESTING ) { // 0749 require( _input >= 10000, "Vesting must be longer than 36 hours" );750 terms.vestingTerm = _input;751 } else if ( _parameter == PARAMETER.PAYOUT ) { // 1752 require( _input <= 1000, "Payout cannot be above 1 percent" );753 terms.maxPayout = _input;754 } else if ( _parameter == PARAMETER.FEE ) { // 2755 require( _input <= 10000, "DAO fee cannot exceed payout" );756 terms.fee = _input;757 } else if ( _parameter == PARAMETER.DEBT ) { // 3758 terms.maxDebt = _input;759 }760}Recommendation:
We advise the vestingTerm value to only be incremental and to prevent decreasing it as it would incentivize users to create new bonds to their existing positions as the period gets overridden in storage.
Alleviation:
The KlimaDAO team stated taht this is by design and all administrative actions will be performed with utmost care to not break the assumptions of the system.
KLB-02M: Ungraceful Handling of High Adjustment Rates
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations | Medium | KlimaLPBonds_v4.sol:L939 |
Description:
The adjustment.rate is meant to represent a step-by-step reduction or increase of the reward rate for a particular recipient, however, there can be a case where the terms.controlVariable is smaller than the step which would render the adjust operation impossible and thus cause the full deposit hook to fail.
Example:
938} else {939 terms.controlVariable = terms.controlVariable.sub( adjustment.rate );940 if ( terms.controlVariable <= adjustment.target ) {941 adjustment.rate = 0;942 }943}Recommendation:
We advise the reduction of a particular rate to be gracefully handled whereby if the reduction is greater than the current rate the rate should be set to zero.
Alleviation:
The KlimaDAO team responded by stating that this is by design and a controlled contract parameter and as such no graceful handling is necessary.