Omniscia Mantissa Finance Audit

PoolVolatile Manual Review Findings

PoolVolatile Manual Review Findings

PVE-01M: Inexistent Restriction of Assets

TypeSeverityLocation
Input SanitizationPoolVolatile.sol:L446-L467

Description:

The PoolVolatile::getWithdrawAmountOtherToken function will allow arbitrary assets to be withdrawn from.

Example:

contracts/PoolVolatile.sol
446function getWithdrawAmountOtherToken(ILP lpToken, ILP otherLpToken, uint256 lpAmount) public view returns (uint256 amount, uint256 otherAmount, uint256 treasuryFees, uint256 lpFees) {
447 uint256 otherLiability = otherLpToken.liability();
448 require(otherLiability > 0, "ERR");
449
450 uint256 otherLpAmount = _getOracleAdjustedAmount(lpAmount, lpToken, otherLpToken);
451 otherAmount = otherLpAmount * otherLiability / otherLpToken.totalSupply();
452
453 uint256 otherLR = ((otherLpToken.asset() - otherAmount) * ONE_18) / otherLiability;
454 require(otherLR >= ONE_18, "LR low");
455
456 uint256 lpTokenLiability = lpToken.liability();
457 amount = lpAmount * lpTokenLiability / lpToken.totalSupply();
458 require(lpTokenLiability > amount, "DIV BY 0");
459 uint256 lpTokenLR = (lpToken.asset() * ONE_18) / (lpTokenLiability - amount);
460 require(otherLR >= lpTokenLR, "From LR higher");
461
462 uint256 nlr = getNetLiquidityRatio();
463 uint256 feeAmount = otherAmount * _getSwapFeeRatio(nlr) / 1e6;
464 lpFees = otherAmount * lpRatio / 1e6;
465 otherAmount = otherAmount - (feeAmount + lpFees);
466 treasuryFees = feeAmount * _getTreasuryRatio(nlr) / 1e6;
467}

Recommendation:

We advise the Mantissa Finance team to restrict assets in clusters that permit cross-pool withdrawals as the current mechanism appears to introduce a significant arbitrage opportunity under the right conditions.

Alleviation (5482fabf5bf6a263ff908434b42b7e771d0fb4ca):

The Mantissa Finance team re-evaluated this exhibit and opted to retain the current implementation in place, stating that proper exchange rates between the underlying assets are guaranteed by the oracle system and that no additional restriction measures need to be set in place.

As the Mantissa Finance team considers the current method of operation proper, we consider this exhibit fully alleviated.

PVE-02M: Inexistent Initialization Protection of Base Implementation

TypeSeverityLocation
Language SpecificPoolVolatile.sol:L16

Description:

The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.

Example:

contracts/PoolVolatile.sol
16contract PoolVolatile is Initializable, Ownable, Pausable, ReentrancyGuard {

Recommendation:

We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.

Alleviation (418ee413ad8e26f7eea383764c19953ff31b2bf3):

The Mantissa Finance evaluated this exhibit and stated that they wish to acknowledge it and that they will ensure the logic deployments are properly initialized whenever they are deployed.