Omniscia Avocado Fund Audit
Lending Sysetm Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 9e53d9f16b | March 28th 2026 | 8659857f1e |
| a859cd2191 | April 7th 2026 | 3e851304a9 |
| ca4268ecd3 | April 13th 2026 | b61405a38d |
| 28abe24a8b | May 7th 2026 | ed6aa4b6ad |
Audit Overview
We were tasked with performing an audit of the Avocado Fund codebase and in particular their lending system.
Over the course of the audit, we identified significant flaws in how interest is accrued and loan repayments are tracked within the AvocadoLending system alongside non-informational issues across the rest of the codebase.
We advise the Avocado Fund team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Avocado Fund team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Avocado Fund and have identified that a particular exhibit has been incorrectly alleviated and needs to be revisited: AVT-01C
Additionally, the following informational exhibit was partially addressed: VRS-01C
Finally, we identified several exhibits during our revision of the codebase which can be visited via the following finding IDs: ALG-01C, ALG-03M, VRS-03M
The codebase was updated with an additional boosting system in VaultRewards that has not been fully audited as well as a TokenVesting contract that has not been evaluated.
Given the prevalence of more vulnerabilities in this follow-up round, it is strongly advised that the scope is expanded to include the full TokenVesting implementation as well as the VaultRewards updates.
Post-Audit Conclusion (ca4268ecd3)
The Avocado Fund team provided us with a follow-up commit hash to evaluate alleviations for the aforementioned five exhibits: AVT-01C, VRS-01C, ALG-01C, ALG-03M, and VRS-03M.
We evaluated those alleviations and have identified that VRS-01C remains partially addressed whilst ALG-03M has been incorrectly alleviated and requires a revisit.
Post-Audit Conclusion (28abe24a8b)
The Avocado Fund team evaluated the latest recommendations we have provided for the two aforementioned exhibits and proceeded to address them.
Specifically, they have omitted the VaultRewards.sol contract from the codebase rendering exhibits pertaining to it inapplicable.
Exhibit ALG-03M has been properly alleviated, rendering all outputs of this audit report properly consumed by the Avocado Fund team.
As a final note, the commit hash covered by this audit report is no longer part of the public GitHub repository and can be viewed via direct commit references on the GitHub website.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 11 | 11 | 0 | 0 |
 | 5 | 5 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 18 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: