Omniscia Astrolab DAO Audit
Base Strategy Contracts Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 5427ca2aaa | March 2nd 2024 | 190edc3e59 |
| 59b75fbee1 | April 17th 2024 | 24abe7bc2d |
| efbeab6478 | May 14th 2024 | a4b534feab |
| cf5194da53 | June 5th 2024 | 86d778b017 |
| cf5194da53 | June 13th 2024 | dfce318558 |
| cf5194da53 | June 13th 2024 | 090dbf4cca |
Audit Overview
We were tasked with performing an audit of the Astrolab DAO codebase and in particular their Base Strategy Contracts module.
The project implements a base set of contracts meant to act as the backbone for EIP-4626 vaults that interact with multiple DeFi protocols via a custom proxy model.
Over the course of the audit, we identified vulnerabilities across multiple modules of the system including incorrect assembly blocks, incorrect downward price action handling, proxy-forwarded data corruption, and more.
The system implements a custom proxy model whereby the Strategy contract and the logic contract are separate, however, this is done so by retaining two different implementations that utilize a shared storage space.
In the current system, the logic contract (StrategyV5Agent in this case) will inherit two implementations that declare storage variables while the proxy contract (StrategyV5) will inherit three implementations.
This can trivially result in clash of storage space which could ultimately result in data corruption and/or loss.
We recommend the storage of the contracts to be decoupled entirely in a single dedicated implementation, permitting it to be maintained and expanded as required between updates.
We advise the Astrolab DAO team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Post-Audit Conclusion chapters of the audit report are presented in historical order from oldest to latest. To evaluate the latest state of the codebase, kindly proceed to the last Post-Audit Conclusion chapter of the audit report.
The Astrolab DAO team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Astrolab DAO and have identified that certain exhibits have not been adequately dealt with. We advise the Astrolab DAO team to revisit the following exhibits which have either been partially alleviated, not alleviated, or incorrectly alleviated: A62-12M, AME-01M, ASS-04M, CUS-01C, ASS-02M, A62-08M, A62-07M, A62-11M, SVA-04M, AAS-01M, AAS-02M, SV5-03M, PUS-01C
Additionally, the following informational findings remain either partially addressed or unaddressed and should be revisited: ASS-02C, ASS-01C, ASS-03C, AME-02C, AMS-01C, AMS-04C, AMS-02C, AMS-03C, ARA-01C, ARE-04C, ARE-02C, SVA-01C, AAS-02C, SV5-02C, SV5-04C, SV5-06C
Post-Audit Conclusion (efbeab6478)
The Astrolab DAO team provided us with a follow-up commit to evaluate additional remediations carried out for the instances that remained open in the previous round, as well as general adjustments in relation to the EIP-7540 compliancy of the As4626 implementation.
We observed that exhibit A62-11M which concerns EIP-7540 compliancy is still not resolved despite the change in the project's direction to solely support redemption requests as the EIP is still not satisfied in this regard.
In addition to the aforementioned exhibits that remain open, the following exhibits have been marked as acknowledged explicitly by the Astrolab DAO team: AME-01M, AME-02C, ASS-01C, ASS-02C, ASS-03C, AAS-02C, SV5-06C, AMS-01C, AMS-02C, AMS-03C, AMS-04C, ARA-01C, ARE-02C, ARE-04C, SV5-03M
Finally, in between the production of the previous final iteration and the current version, we came in contact with the Pyth Network team to clarify what limitations should be imposed on their oracles.
The Pyth Network team contradicted the SDK implementation and instead clarified that the exponents supported by the Pyth Network oracle software are within the following range: [-12,12]
In light of this information, we advise the PythProvider::_toUsdBp function to be updated with those exponents in mind properly supporting positive as well as negative exponents which it presently does not.
Post-Audit Conclusion (cf5194da53)
The Astrolab DAO team revisited a subset of the exhibits mentioned in the previous chapter; namely: A62-11M, AAS-02C, AMS-02C, AMS-04C, ARE-02C
All aforementioned exhibits have been properly alleviated in the latest commit hash of the codebase that was evaluated, and any that were not mentioned have been marked as acknowledged.
Additionally, the PythProvider related concerns have been addressed by incorporating support for positive exponents as well as adjusting the range of permitted exponent values.
We consider all outputs of the audit report properly consumed by the Astrolab DAO team, and no further remediative actions are expected.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 64 | 52 | 0 | 12 |
 | 23 | 22 | 0 | 1 |
 | 0 | 0 | 0 | 0 |
 | 9 | 9 | 0 | 0 |
During the audit, we filtered and validated a total of 7 findings utilizing static analysis tools as well as identified a total of 89 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: