Omniscia KlimaDAO Audit
KlimaBondingCalculator_v2 Manual Review Findings
KlimaBondingCalculator_v2 Manual Review Findings
KBC-01M: Incorrect Markdown Calculation
Type | Severity | Location |
---|---|---|
Mathematical Operations | Major | KlimaBondingCalculator_v2.sol:L312 |
Description:
The markdown
calculation performs an incorrect mathematical operation in case the first token of the pair is the USDC
address as the decimals of KLIMA
differ from that of USDC
by 3 units.
Example:
303function markdown( address _pair ) external view returns ( uint ) {304 ( uint reserve0, uint reserve1, ) = IUniswapV2Pair( _pair ).getReserves();305
306 uint reserve;307 if ( IUniswapV2Pair( _pair ).token0() == KLIMA || IUniswapV2Pair( _pair ).token0() == USDC ) {308 reserve = reserve1;309 } else {310 reserve = reserve0;311 }312 return reserve.mul( 2 * ( 10 ** IERC20( KLIMA ).decimals() ) ).div( getTotalValue( _pair ) );313}
Recommendation:
We strongly advise the calculation to use the proper unit offset depending on which token is being used as the paired asset.
Alleviation:
The KlimaDAO team stated that the code performs as intended and that the debt ratios in the bond account account for this discrepancy.
KBC-02M: Improper Token Assumption
Type | Severity | Location |
---|---|---|
Logical Fault | Medium | KlimaBondingCalculator_v2.sol:L307, L309 |
Description:
The markdown
function assumes that if the first token is neither KLIMA
nor USDC
, the second token will be which may not be the case if the Uniswap pair is completely unrelated.
Example:
303function markdown( address _pair ) external view returns ( uint ) {304 ( uint reserve0, uint reserve1, ) = IUniswapV2Pair( _pair ).getReserves();305
306 uint reserve;307 if ( IUniswapV2Pair( _pair ).token0() == KLIMA || IUniswapV2Pair( _pair ).token0() == USDC ) {308 reserve = reserve1;309 } else {310 reserve = reserve0;311 }312 return reserve.mul( 2 * ( 10 ** IERC20( KLIMA ).decimals() ) ).div( getTotalValue( _pair ) );313}
Recommendation:
We advise the token1
of the pair to be validated properly to ensure correct execution of the markdown
function.
Alleviation:
The KlimaDAO team stated that the code performs as intended and that no validation of the paired asset is necessary.
KBC-03M: Ambiguous Dual Token Support
Type | Severity | Location |
---|---|---|
Logical Fault | Minor | KlimaBondingCalculator_v2.sol:L307, L312 |
Description:
The support of two tokens for assessing the markdown
is ambiguous as it does not have clearly defined behaviour in case both USDC
and KLIMA
are part of a Uniswap pair.
Example:
303function markdown( address _pair ) external view returns ( uint ) {304 ( uint reserve0, uint reserve1, ) = IUniswapV2Pair( _pair ).getReserves();305
306 uint reserve;307 if ( IUniswapV2Pair( _pair ).token0() == KLIMA || IUniswapV2Pair( _pair ).token0() == USDC ) {308 reserve = reserve1;309 } else {310 reserve = reserve0;311 }312 return reserve.mul( 2 * ( 10 ** IERC20( KLIMA ).decimals() ) ).div( getTotalValue( _pair ) );313}
Recommendation:
We advise this portion of the codebase to be expanded upon to clearly define all logic paths as it can lead to unexpected behaviour.
Alleviation:
The KlimaDAO team stated that the code performs as intended and that the support of two tokens is by design.