Omniscia Mitosis Audit

Core Protocol Security Audit

Audit Report Revisions

Commit HashDateAudit Report Hash
5297bb74faFebruary 27th 2024a75a6d644a
58e8cc66dfMarch 6th 20240a4843be8e
0d29218ad3April 24th 2024b2f09be65e
67e2cd4ae4April 28th 2024ae9aa3c83e

Audit Overview

We were tasked with performing an audit of the Mitosis codebase and in particular their cross-chain deposit vault module integrating with the Hyperlane ecosystem.

Over the course of the audit, we identified multiple issues in the way the cross-chain bridges are integrated as well as in the way the contracts interact between them and encode payloads for each other.

We advise the Mitosis team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Mitosis team iterated through a curated list of non-informational findings that we had shared ahead of time and provided us with a revised commit hash to evaluate this subset of exhibits on.

We evaluated the alleviations performed by Mitosis and have identified that certain exhibits have not been adequately dealt with. We advise the Mitosis team to revisit the following exhibits: CCM-03M, ABA-02M, PZE-03M, OBA-02M, BVT-05M

This audit report cannot be considered finalized at this point as many exhibits remain open and are expected to be dealt with by the Mitosis team in a follow-up commit.

Post-Audit Conclusion (5297bb74fa)

We validated the full list of preliminary non-informational findings we shared ahead of time with the Mitosis team during this iteration and identified certain exhibits that require follow-up action.

Specifically, the following exhibits should be re-evaluated by the Mitosis team in addition to the ones mentioned in the previous chapter: CPA-02M, VHB-02M

Finally, all findings that remain open must be re-visited by the Mitosis team as they represent either new findings that were identified in the follow-up audit rounds, or informational findings that were not included in the preliminary draft version that was shared with the Mitosis team.

Post-Audit Conclusion (58e8cc66df)

The Mitosis team provided supplemental alleviations for the remaining open exhibits in the audit report.

We validated those follow-up actions and observed that BVT-02M requires additional attention whilst CPA-04M remains open rendering this report to not be able to be released publicly.

Additionally, OBA-02M, CCM-05C, and CCD-03C have been partially alleviated and should be revisited by the Mitosis team.

Post-Audit Conclusion (0d29218ad3)

The Mitosis team provided us with a follow-up commit to evaluate the introduced delta as well as the remaining exhibits that are open within the audit report.

During this follow-up round, we observed that exhibit OBA-02M and CCM-06C were fully alleviated whilst the CCM-05C exhibit's optimization was regressed to avoid the flaw that was introduced via it instead of being corrected.

Additionally, the following important manual review exhibits have had no additional remediative action and thus remain either partially addressed or open: CPA-04M, BVT-05M

The following exhibits remain safely acknowledged and do not require any follow-up action: PZE-02M, CCM-03M, MEG-01C, CCM-04C, CCD-03C

In the delta since the previous commit, we made the following observations:

  • The data structures were slightly re-ordered, which would render an upgrade of the system incompatible with its previous proxy implementations
  • A nonZero modifier has been introduced to EETHDepositHelper & CCDMHost which evaluates a tautology in part (an unsigned integer can never be below 0)
  • An optimization that was previously applied has been regressed in the Cap::setEpochCap function in relation to a for loop
  • A Permit::trustlessPermit function was introduced that will fallback to approval validation; it is imperative that the library is never used with an arbitrary from argument to prevent exploitations as described here

We strongly advise the Mitosis team to evaluate the aforementioned bullet points in addition to re-visiting the open manual review findings and specifically CPA-04M and BVT-05M which are important to the project's secure operation.

Post-Audit Conclusion (67e2cd4ae4)

The Mitosis team evaluated the concerns we raised in the latest post-audit conclusion, and proceeded with providing supplemental alleviations for exhibits CPA-04M and BVT-05M.

In detail, the faulty logic surrounding the BVT-05M exhibit has been eliminated from the codebase entirely as a concept, rendering the exhibit no longer applicable and thus effectively addressed.

The CPA-04M exhibit was considered as acknowledged after additional gas-related limitations were imposed per epoch and the Mitosis team's analysis of the attack vector considered it to be an acceptable risk.

While no action has been taken for the aforementioned bullet points, they do not pose an active security risk and instead highlight potential optimizations and issues of the code that would arise in future versions.

Overall, we consider the audit engagement concluded as all the report's outputs have been carefully assessed by the Mitosis team and selectively applied to conform with their business requirements.

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
2200
433913
141301
6411
6600

During the audit, we filtered and validated a total of 11 findings utilizing static analysis tools as well as identified a total of 60 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

Total Alleviations

The list below covers each segment of the audit in depth and links to the respective chapter of the report: