Omniscia Olympus DAO Audit
Protocol V Security Audit
We were tasked with performing a second round audit on the version 2 implementation of the Olympus DAO protocol composed of a complex system architecture involving a triple token system, an LP-based bond system, and utility contracts for incentivizing the use of all three token types.
Over the course of the audit, we were able to pinpoint potentially harmful arbitrage opportunities that can arise in the conversion between the three tokens as well as a potential under-pricing flaw in the bond creation mechanism that if exploited could cause a bond to be priced at a very low value and thus cause a significant evaluation of an otherwise small deposit.
In addition to logical flaws, we identified several optimizations that can be applied to the codebase that we urge the Olympus DAO team to consider. Overall, the codebase appears to be at an unpolished state and can be significantly improved in terms of styling, consistency, and documentation. For the former, we advise a linting plugin to be enforced on the codebase to greatly increase its readability.
Another important point that should be raised about the codebase is the over-reliance on good faith of the various authorized operators in the protocol. As an example, the terms of a bond are not validated and permit arbitrary values for all terms whilst they are only set by the guardian of the protocol. As we have expressed in some of the exhibits, we advise the Olympus DAO team to attempt to further decentralize the operation of the protocol by introducing new sanitization checks restricting the authorative actions of the privileged roles of the system.
During the audit, we filtered and validated a total of 10 findings utilizing static analysis tools as well as identified a total of 73 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: