Omniscia Maverick Protocol Audit
Common Libraries Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 47287a62e1 | April 10th 2024 | 509fd5989f |
| 175f8c39b1 | May 2nd 2024 | 6652a74712 |
| 23cf815e61 | May 10th 2024 | 276e1ba6d7 |
Audit Overview
We were tasked with performing an audit of the Maverick Protocol codebase and in particular their common libraries in use by both the Maverick Protocol V2 AMM and periphery contracts.
The set of contracts within the v2-common folder closely intertwines with the Maverick Protocol V2 AMM and as such, we were able to validate multiple AMM-related formulae defined in the Maverick Protocol whitepaper draft.
Specifically, we validated the following formulae:
- 2.3.2 Adding Liquidity to a Bin: 2, 3, 4, 5, 9
- 2.4.2 Swapping in a Bin: 21, 22, 23
During the validation process, we observed a discrepancy in relation to formula 22 and its implementation in the TickMath library. A member of the equation is represented as an addition in the whitepaper formula whilst it is actually a multiplicand in the implementation.
We believe the whitepaper is incorrect in this regard, however, we were unable to correlate either implementation with the quadratic formula defined at 21. We strongly advise its expansion to be elaborated in the whitepaper as the b term simplification defined in the whitepaper is inadequate.
Another interesting point is in relation to formula 9 and its implementation at PoolLib::deltaTickBalanceFromDeltaLpBalance. While the binTotalSupply is seemingly utilized as-is instead of being a maximum between its value and 1, the underlying assembly block of Math::mulDivDown will take care of this operation.
From an optimizational perspective, we identified multiple areas that can be adjusted to reduce the overall gas costs incurred from utilizing the libraries within v2-common. Any optimization in an AMM model is valuable from a competitive perspective, and we strongly urge the Maverick Protocol V2 team to consider implementing the optimizations outlined.
We advise the Maverick Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Maverick Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Maverick Protocol and have identified that a particular exhibit has not been adequately dealt with. We advise the Maverick Protocol team to revisit the following exhibit: TLB-01M
Additionally, the following informational finding has had follow-up feedback introduced that may prompt the Maverick Protocol team into taking additional remediative actions: CST-01C
Post-Audit Conclusion (23cf815e61)
The Maverick Protocol team provided us with a follow-up commit to evaluate that included documentational and stylistic changes.
During the period between the previous conclusion round and the current one, we engaged with the Maverick Protocol team to further examine the validity as well as technical nuisances revolving around exhibit TLB-01M.
The research's conclusions can be identified in the exhibit itself, and its status has been updated to nullified to properly reflect this.
The follow-up recommendation provided in CST-01C has been acknowledged, rendering the audit engagement to have concluded with no further actions expected by the Maverick Protocol team.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 2 | 0 | 0 |
 | 12 | 9 | 0 | 3 |
 | 1 | 1 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 14 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: