Omniscia Rari Capital Audit

Fuse Compound Fork Oracles Security Audit

We were tasked with auditing Rari Capital's Compound fork implementation that introduces two new set of fees via scalar mantissas to the existing Compound implementation.

The Rari team integrated the accrual of those two new fees as well as management-related code to properly set them across the original codebase of Compound. Additionally, a new source of protocol configuration has been defined called the fuseAdmin via which multiple existing as well as new parameters are extracted from, such as the lower bounds of borrows or the upper bounds of mints.

In addition to the Compound fork codebase, we were tasked with auditing two oracle implementations that existed under the fuse-contracts codebase named ChainlinkPriceOracle.sol and Keep3rPriceOracle.sol that are part of the Fuse management implementation. We found several ambiguities as well as a security issue regarding data freshness that we advise be dealt with as soon as possible.

The changes observed were conducted in line with the existing style guide of Compound, such as proper error definition and non-total failure of function calls, however certain characteristics were redundantly duplicated across contracts when they could have been inherited from a single base. No major security vulnerabilities were identified, however, a misbehavior of the system was detected in the way the upper bound of minting is evaluated whereby the truncated results may yield different outcomes. Some other potential misadjustments to the codebase have also been pointed out, however, they may be deemed dismissable as regarding components of the system that are not meant to be utilized in the new deployment by Rari.

The adaptations of Rari continue the high-quality set forth by Compound's codebase and do not break any behavioral trait of the system as the new fees are accounted for in the borrow and interest mechanisms properly. For a detailed breakdown of the changes introduced, please head to the Compound Delta section.

Files in ScopeRepositoryCommit(s)
CErc20.sol (CE0)compound-protocolf1639263b6,
73329a8d84
CEther.sol (CER)compound-protocolf1639263b6,
73329a8d84
CToken.sol (CTN)compound-protocolf1639263b6,
73329a8d84
Comptroller.sol (COM)compound-protocolf1639263b6,
73329a8d84
CDaiDelegate.sol (CDD)compound-protocolf1639263b6,
73329a8d84
CErc20Delegate.sol (CED)compound-protocolf1639263b6,
73329a8d84
CEtherDelegate.sol (CON)compound-protocolf1639263b6,
73329a8d84
CErc20Delegator.sol (CON)compound-protocolf1639263b6,
73329a8d84
CErc20Immutable.sol (CEI)compound-protocolf1639263b6,
73329a8d84
CEtherDelegator.sol (CON)compound-protocolf1639263b6,
73329a8d84
CEtherImmutable.sol (CON)compound-protocolf1639263b6,
73329a8d84
CTokenInterfaces.sol (CTI)compound-protocolf1639263b6,
73329a8d84
ComptrollerStorage.sol (CSE)compound-protocolf1639263b6,
73329a8d84
ComptrollerInterface.sol (CIE)compound-protocolf1639263b6,
73329a8d84
ErrorReporter.sol (ERR)compound-protocolf1639263b6,
73329a8d84
IFuseFeeDistributor.sol (IFF)compound-protocolf1639263b6,
73329a8d84
Unitroller.sol (UNI)compound-protocolf1639263b6,
73329a8d84
ChainlinkPriceOracle.sol (CPO)fuse-contractsd4f6a1a14a,
a4f0456c5e
Keep3rPriceOracle.sol (KPO)fuse-contractsd4f6a1a14a,
a4f0456c5e

During the audit, we filtered and validated a total of 0 findings utilizing static analysis tools as well as identified a total of 26 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report: