Omniscia Mitosis Audit
Core Protocol Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 5297bb74fa | February 27th 2024 | a75a6d644a |
| 58e8cc66df | March 6th 2024 | 0a4843be8e |
| 0d29218ad3 | April 24th 2024 | b2f09be65e |
| 67e2cd4ae4 | April 28th 2024 | ae9aa3c83e |
Audit Overview
We were tasked with performing an audit of the Mitosis codebase and in particular their cross-chain deposit vault module integrating with the Hyperlane ecosystem.
Over the course of the audit, we identified multiple issues in the way the cross-chain bridges are integrated as well as in the way the contracts interact between them and encode payloads for each other.
We advise the Mitosis team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Mitosis team iterated through a curated list of non-informational findings that we had shared ahead of time and provided us with a revised commit hash to evaluate this subset of exhibits on.
We evaluated the alleviations performed by Mitosis and have identified that certain exhibits have not been adequately dealt with. We advise the Mitosis team to revisit the following exhibits: CCM-03M, ABA-02M, PZE-03M, OBA-02M, BVT-05M
This audit report cannot be considered finalized at this point as many exhibits remain open and are expected to be dealt with by the Mitosis team in a follow-up commit.
Post-Audit Conclusion (5297bb74fa)
We validated the full list of preliminary non-informational findings we shared ahead of time with the Mitosis team during this iteration and identified certain exhibits that require follow-up action.
Specifically, the following exhibits should be re-evaluated by the Mitosis team in addition to the ones mentioned in the previous chapter: CPA-02M, VHB-02M
Finally, all findings that remain open must be re-visited by the Mitosis team as they represent either new findings that were identified in the follow-up audit rounds, or informational findings that were not included in the preliminary draft version that was shared with the Mitosis team.
Post-Audit Conclusion (58e8cc66df)
The Mitosis team provided supplemental alleviations for the remaining open exhibits in the audit report.
We validated those follow-up actions and observed that BVT-02M requires additional attention whilst CPA-04M remains open rendering this report to not be able to be released publicly.
Additionally, OBA-02M, CCM-05C, and CCD-03C have been partially alleviated and should be revisited by the Mitosis team.
Post-Audit Conclusion (0d29218ad3)
The Mitosis team provided us with a follow-up commit to evaluate the introduced delta as well as the remaining exhibits that are open within the audit report.
During this follow-up round, we observed that exhibit OBA-02M and CCM-06C were fully alleviated whilst the CCM-05C exhibit's optimization was regressed to avoid the flaw that was introduced via it instead of being corrected.
Additionally, the following important manual review exhibits have had no additional remediative action and thus remain either partially addressed or open: CPA-04M, BVT-05M
The following exhibits remain safely acknowledged and do not require any follow-up action: PZE-02M, CCM-03M, MEG-01C, CCM-04C, CCD-03C
In the delta since the previous commit, we made the following observations:
- The data structures were slightly re-ordered, which would render an upgrade of the system incompatible with its previous proxy implementations
- A
nonZeromodifier has been introduced toEETHDepositHelper&CCDMHostwhich evaluates a tautology in part (an unsigned integer can never be below0) - An optimization that was previously applied has been regressed in the
Cap::setEpochCapfunction in relation to aforloop - A
Permit::trustlessPermitfunction was introduced that will fallback to approval validation; it is imperative that the library is never used with an arbitraryfromargument to prevent exploitations as described here
We strongly advise the Mitosis team to evaluate the aforementioned bullet points in addition to re-visiting the open manual review findings and specifically CPA-04M and BVT-05M which are important to the project's secure operation.
Post-Audit Conclusion (67e2cd4ae4)
The Mitosis team evaluated the concerns we raised in the latest post-audit conclusion, and proceeded with providing supplemental alleviations for exhibits CPA-04M and BVT-05M.
In detail, the faulty logic surrounding the BVT-05M exhibit has been eliminated from the codebase entirely as a concept, rendering the exhibit no longer applicable and thus effectively addressed.
The CPA-04M exhibit was considered as acknowledged after additional gas-related limitations were imposed per epoch and the Mitosis team's analysis of the attack vector considered it to be an acceptable risk.
While no action has been taken for the aforementioned bullet points, they do not pose an active security risk and instead highlight potential optimizations and issues of the code that would arise in future versions.
Overall, we consider the audit engagement concluded as all the report's outputs have been carefully assessed by the Mitosis team and selectively applied to conform with their business requirements.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 2 | 0 | 0 |
 | 43 | 39 | 1 | 3 |
 | 14 | 13 | 0 | 1 |
 | 6 | 4 | 1 | 1 |
 | 6 | 6 | 0 | 0 |
During the audit, we filtered and validated a total of 11 findings utilizing static analysis tools as well as identified a total of 60 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: