Omniscia Evergon Labs Audit
Tokenizer Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 3bf02f2382 | December 20th 2024 | 6fa883b1a7 |
| 71cda4ccfd | January 30th 2025 | 0a1222ff78 |
| d7b20c134f | February 26th 2025 | 620461a916 |
Audit Overview
We were tasked with performing an audit of the Evergon Labs codebase and in particular their Tokenizer module.
The Tokenizer system closely integrates with the Evergon Labs ODC ecosystem to permit multiple assets to be wrapped into a singleton NFT that is further wrapped into a fractionalized EIP-1155 implementation via which many features are introduced that permit users to purchase from and interact with the tokenized assets.
So as to facilitate complex interactions, the system implements the concept of states and facet implementations that facilitate the transition from one to another. Additionally, an oracle system is implemented that permits automatic state transitions based on price thresholds.
Over the course of the audit, we identified several vulnerabilities stemming from direct interaction with the underlying ODC system bypassing the Tokenizer facets, inadequate presence of access control, and certain invalid state transition function implementations.
The system is highly configurable and the proper configuration of a campaign ID with the correct required and optional selectors is difficult to precisely pinpoint due to the several permutations permitted in each instance.
To this end, we strongly recommend the documentation of the system to be expanded using a matrix table to label which configurational facets are compatible with which so as to aid integrators in how they deploy their campaigns.
We advise the Evergon Labs team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Evergon Labs team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
Additionally, the Evergon Labs team provided us with a list of findings that they identified in parallel to our audit so that we can keep track of their progress as well as validate their remediation.
In detail, a vulnerability was found in relation to refunds processed after a non-funded state whereby the system did not accommodate for discount mechanisms. This required a tandem refactoring of the ODC system to utilize a genesis ID system to keep track of which refunds should be processed at which rate.
Another important issue that was identified was the absence of a mechanism to recover unsold fractions as well as wrapped assets. The resolution of this issue once again relies on the aforementioned genesis ID system.
While we have confirmed that from an integration standpoint these issues appear to have been resolved, we will re-evaluate the alleviation of these two items once the audit of the ODC system has been finalized and thoroughly audited as the alleviations of those two issues are intricately intertwined with the inner workings of the refactored ODC implementation.
We evaluated all alleviations performed by Evergon Labs and have identified that a particular exhibit has not been adequately dealt with. We advise the Evergon Labs team to revisit the following exhibit: FIA-01M
Additionally, the following informational findings remain unaddressed and should be revisited: LOS-05C, FIA-05C, BFD-02C, SFF-02C
Post-Audit Conclusion (d7b20c134f)
The Evergon Labs team evaluated the information provided in the aforementioned list of exhibits and opted to alleviate all of them.
We validated that all outstanding exhibits within the audit report have been properly alleviated and consider all outputs of the audit report properly consumed by the Evergon Labs team.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 90 | 90 | 0 | 0 |
 | 5 | 5 | 0 | 0 |
 | 9 | 9 | 0 | 0 |
 | 15 | 15 | 0 | 0 |
During the audit, we filtered and validated a total of 6 findings utilizing static analysis tools as well as identified a total of 113 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: