Omniscia Evergon Labs Audit
TMI Staking Protocol Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| dd3cd83a38 | December 13th 2024 | d1d418903e |
| 5312126fb2 | January 27th 2025 | 69eae570b8 |
Audit Overview
We were tasked with performing an audit of the Evergon Labs codebase and in particular their Token Market Infrastructure (TMI) Staking Protocol.
The system implements a complex set of facets that are interconnected via an EIP-2535 Diamond implementation to facilitate the creation of staking campaigns that are highly dynamic and customizable.
All staking positions within the system are represented by EIP-721 NFTs whereas the actual staked assets as well as rewarded assets are abstracted into the concept of "packets" that can be composed of multiple assets (EIP-20, EIP-721, and EIP-1155 in the current version).
The system contains a barebones implementation that does not make use of NexeraID values as well as an NID specific version for both staking campaign creations as well as interactions with the campaigns.
Over the course of the audit, we identified certain complex cross-facet vulnerabilities that relate to configurability as well as dynamic call construction and we observed two significant flaws in the system's current implementation:
- A restake operation can be performed towards any position without authorization from the beneficiary, permitting a position's unlock time to be increased arbitrarily and thus result in certain campaign configurations to cause the staker to lose access to their funds
- Token configurations utilize a simplistic mapping when it comes to EIP-1155 assets, resulting in improper tokens-per-packet configured if different values are desired for different asset IDs under the same EIP-1155 token (a normal use-case scenario)
As a final note, the system implements multiple facets that are purpose-built to satisfy a particular aspect of a staking campaign and are meant to be combined during a campaign's creation.
We believe the documentation surrounding this aspect is inadequate as we identified several campaign configurations which would be permitted by the system but would ultimately be incorrect, some of which are outlined in the manual review portion of the audit report.
To this end, we strongly recommend that the Evergon Labs team enhances the documentation of the codebase and to clearly outline which campaign facets are compatible between them in a matrix table.
We advise the Evergon Labs team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Evergon Labs team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Evergon Labs and have identified that all exhibits have been adequately dealt with.
A single informational exhibit has been addressed albeit partially as its optimization has not been applied to its fullest extent: ACS-03C
Additionally, we observed a regression whereby the startingTimestamp of an NFT was incorrectly set to the block.timestamp, and outlined this concern to the Evergon Labs team.
Post-Audit Conclusion (5312126fb2)
The Evergon Labs team evaluated our observation as well as the ACS-03C finding that remained open, and provided a commit hash which alleviates both.
We validated that the style-related exhibit's optimization has been properly applied, and that the regression that was observed was properly alleviated.
We consider all outputs of the audit report properly consumed by the Evergon Labs team with no outstanding remediative actions remaining.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 1 | 1 | 0 | 0 |
 | 89 | 89 | 0 | 0 |
 | 7 | 7 | 0 | 0 |
 | 5 | 5 | 0 | 0 |
 | 6 | 6 | 0 | 0 |
During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 106 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: