Omniscia Astrolab DAO Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Astrolab DAO's base strategy contracts.
As the project at hand implements custom proxies w/ extensive assembly blocks, intricate care was put into ensuring that the flow of funds within the system conforms to the specifications and restrictions laid forth within the protocol's specification and that the EVM's restrictions are adhered to in all statements.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed multiple significant vulnerabilities within the system which could have had severe ramifications to its overall operation; we urge the Astrolab DAO team to promptly evaluate and remediate them.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was satisfactory to the extent it need be, however, certain areas of the codebase such as expected EIP-7540 conformity should be expanded upon.
A total of 89 findings were identified over the course of the manual review of which 36 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| A62-01M |  |  | Discrepancy of Access Control |
| A62-02M | | | Improper Allowance Adjustment |
| A62-03M | | | Improper Capture of Entry Fee |
| A62-04M | | | Improper Capture of Exit Fee |
| A62-05M | | | Incorrect Estimation of Deposits |
| A62-06M | | | Incorrect Estimation of Withdrawals |
| A62-07M | | | Incorrect Maintenance of Allowances in Redemption Requests |
| A62-08M | | | Inexistent Protection Against Re-Initialization |
| A62-09M | | | Potentially Invalid Cancellation Assumption |
| A62-10M |  | | Improper Accounting of Fees in Downward Price Action |
| A62-11M | | | Incorrect Implementation of EIP-7540 |
| A62-12M | | | Inexistent Reservation of Shares |
| AAT-01M | | | EIP-7540 Incompatibility |
| AAS-01M | | | Incorrect EVM Memory Assumptions |
| AAS-02M | | | Incorrect Usage of Memory |
| ACT-01M | | | Potentially Insecure Address Cast |
| AME-01M |  |  | Invalid Conditional Evaluation |
| AME-02M | | | Detachment of Authorized Role |
| AMS-01M | | | Improper Absolute Function Implementation |
| APY-01M | |  | Reservation of Function Signatures |
| APY-02M | | | Potentially Insecure Utilization of Scratch Space |
| APY-03M | | | Insecure Forwarded Payload |
| ASS-01M | | | Improper Sequential Set Shift Operation |
| ASS-02M | | | Inexistent Prevention of Duplicate Elements |
| ASS-03M | | | Invalid Sequential Set Shift Operation |
| ASS-04M | | | Invalid Sequential Set Unshift Operation |
| SV5-01M | | | Implementation & Documentation Mismatch |
| SV5-02M | | | Discrepancy of Liquidation Preview |
| SV5-03M | | | Insecure Casting Operations |
| SVA-01M | | | Discrepant Allowance Maintenance |
| SVA-02M | | | Improper No-Op Logic Statement |
| SVA-03M | | | Inexistent Erasure of Previous Approvals |
| SVA-04M | | | Inexistent Protection Against Re-Initialization |
| SVA-05M | | | Insecure Approval Operations |
| SVC-01M | | | Inexistent Prevention of Data Corruption |
| SVC-02M | | | Inexistent Validation of Prices |