Omniscia Maverick Protocol Audit
Reward Infrastructure Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 175f8c39b1 | May 13th 2024 | 7b08d86086 |
| 07ad29f773 | May 23rd 2024 | 60396644d4 |
| 7ad1f96f09 | June 5th 2024 | b55f81f9e0 |
Audit Overview
We were tasked with performing an audit of the Maverick Protocol codebase and in particular their Reward Infrastructure.
The codebase consists of a voting-escrowed token implementation, a staking system with built-in reward boosting for escrowing rewards, and an incentive matcher system that permits rewards distributed to the staking system for disbursement to be boosted as well.
We identified a significant vulnerability in the MaverickV2VotingEscrow contract and specifically around extensions of existing lockups which would result in loss of funds due to an overwrite instead of extension operation being performed.
The MaverickV2VotingEscrowWSync contract within the codebase represents a special variant of the MaverickV2VotingEscrow which permits the legacy V1 veMAV contract to be "synchronized" with the V2 system.
We confirmed that the integration is properly performed with the live deployment of the V1 veMAV implementation, however, we raised some concerns as to how the synchronization system behaves as well as its long-term viability. To note, a naming discrepancy was observed in the Lockup structure which does not affect the integration's safety.
In relation to the incentive matcher, we identified an important deficiency in relation to the voting budget which will never be distributed fully when more than one reward contracts are boosted as well as an insecure rollover of the vote budget when a subset of reward contracts have not been claimed yet for a particular epoch.
Finally, an incorrect authorization model was observed in relation to V2 MaverickV2VotingEscrow extensions that permits any user to extend the voting escrow entry of another to an arbitrary duration.
We advise the Maverick Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Maverick Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on as well as a descriptive document detailing the actions that the Maverick Protocol team has taken for each exhibit.
The main change introduced is a revamp of the way voting budget is distributed by the MaverickV2IncentiveMatcher contract which we validated in-depth to behave as expected.
We evaluated all alleviations performed by Maverick Protocol and have identified that a single exhibit was marked as addressed yet remains open in the codebase. The exhibit in question is: MVI-02C
Additionally, the following informational findings have had additional context introduced and should be revisited by the Maverick Protocol team: MVW-02C, MVS-02C, VEW-01C
Finally, we identified two additional optimizational exhibits during our revision of the codebase which can be visited via the following finding IDs: MVI-03C, MVI-05C
Post-Audit Conclusion (7ad1f96f09)
The Maverick Protocol team evaluated the newly identified optimizations detailed in the previous chapter, the follow-up clarifications we produced for several would-be acknowledged exhibits, as well as exhibit MVI-02C which remained unaddressed.
A new commit hash was supplied to us which contained all optimizations outlined in the previous chapter except for MVW-02C which was retained as acknowledged.
Given that all exhibits have been adequately addressed or acknowledged in the audit report, we consider all outputs properly processed by the Maverick Protocol team with no further actions necessary.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 38 | 26 | 1 | 11 |
 | 2 | 1 | 0 | 1 |
 | 4 | 4 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 41 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: