Omniscia Arcade XYZ Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in the P2P NFT-backed borrowing and lending protocol of Arcade XYZ.
As the project at hand implements an NFT collateralized lending and borrowing protocol, intricate care was put into ensuring that the flow of funds & assets within the system conforms to the specifications and restrictions laid forth within the protocol's specification.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed multiple avenues via which collateral within an AssetVault could be compromised which could have had severe ramifications to its overall operation; we urge the Arcade XYZ team to promptly evaluate & remediate findings that relate to the AssetVault contract.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was satisfactory to an exemplary extent, containing extensive in-line documentation as well as a comprehensive README.md file both of which were utilized when validating the project's specification.
A total of 48 findings were identified over the course of the manual review of which 21 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| AIV-01M |  |  | Incorrect Assumption of Function |
| ABV-01M | | | Improper Enforcement of Check |
| ABV-02M | | | Incorrect Assumption of Function |
| AVT-01M |  | | Improper Dependency Utilization |
| CBT-01M |  |  | Inexistent Flexibility of Blacklist |
| CBT-02M |  | | Potentially Weak Restriction List |
| CWA-01M | | | Insecure Whitelist Potential |
| CWO-01M |  | | Unsafe Casting Operation |
| ERC-01M | | | Potential Deviation of Standard |
| OCR-01M | |  | On-Chain Race Condition of Loan Consumptions |
| OCR-02M | | | Restrictive Minimum Loan Principal |
| OCR-03M | | | Improper Validation of Loan Amounts |
| OCR-04M | | | Insufficient Validation of Loan Rollover |
| OCR-05M | | | Invalidation of Predicates |
| OER-01M | | | Inexistent Validation of Ownership Existence |
| PNE-01M | | | Misleading Documentation of Contract |
| PNE-02M | | | Misleading Token ID Counter |
| PVR-01M | | | Potentially Unwarranted Predicate Case |
| PVR-02M | | | Incorrect Assumption of Function |
| RCR-01M | | | Improper Imposition of Claim Fee |
| RCR-02M | | | Inexistent Validation of Loan Expiry |