Omniscia Bolide Finance Audit

Main Storage Module Security Audit

Audit Overview

We were tasked with performing an audit of the Bolide Finance system and in particular their Storage module meant to support staking of BLID assets as well as special tokens supported by the system itself.

Over the course of the audit, we identified multiple vulnerabilities two of which we considered of high severity and we believe impact the live deployment of the Bolide Finance system. We urge the Bolide Finance team to validate this and take appropriate action to prevent the vulnerabilities from being exploited.

As an additional point, we would like to note that this audit does not constitute a full audit of the Bolide Finance protocol and certain integration points such as the one with the Logic contract have not been validated and have been treated as if they are behaving as expected. We advise the Bolide Finance team to perform an audit of their overall protocol in light of this audit's findings.

We advise the Bolide Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Bolide Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.

We evaluated all alleviations performed by Bolide Finance and have identified that certain exhibits have not been adequately dealt with. We strongly advise the Bolide Finance team to revisit the following exhibits: SEG-06C, SEG-03M, SEG-10M, SEG-11M, SEG-12M, SEG-14M, SEG-15M

Post-Audit Conclusion (c2c03f7731)

The Bolide Finance team produced a detailed document that illustrates the various formulas in use throughout the codebase as well as why certain assumptions we had regarding the system were invalid.

After revisiting all of our outstanding findings, we have assessed that the following require additional action / input on Bolide Finance's end: SEG-10M & SEG-12M

Final Verdict

The Bolide Finance team has opted to not apply security measures for the still-susceptible functions described in SEG-10M as they believe them to be of no security concern.

With regard to SEG-12M, the Bolide Finance team analyzed the scenario included within the exhibit and concluded that the formula behaves according to their business requirements regardless of the behaviour we identified.

Based on these statements, we have marked the exhibit as acknowledged given that the behaviour it describes is desirable by the Bolide Finance team.

Contracts Assessed

Files in ScopeRepositoryCommit(s)
Storage.sol (SEG)contractsdb3a9ab0bf,
fcd1a542d2,
c2c03f7731

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
4301
121200
6600
2200
4301

During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 24 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report: