Omniscia Moby Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Moby's Option Market.
As the project at hand implements an option market based on EIP-20 assets with EIP-1155 option representations, intricate care was put into ensuring that the flow of funds & assets within the system conforms to the specifications and restrictions laid forth within the protocol's specification.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed multiple significant vulnerabilities within the system which could have had severe ramifications to its overall operation; more details can be observed in the audit's summary.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project requires significant expansion across the board with all contracts containing minimal to no documentation.
A total of 107 findings were identified over the course of the manual review of which 25 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| BPM-01M |  |  | Insecure Payment Performance (Permanent Queue DoS) |
| BTN-01M |  |  | Inexplicable Capability of Re-Configuration |
| CRE-01M |  | | Inexistent Validation of Long Threshold |
| ERG-01M | | | Non-Standard Storage Slot Offset |
| ERR-01M | | | Non-Standard Storage Slot Offset |
| ERS-01M | | | Non-Standard Storage Slot Offset |
| ERC-01M | | | Improper Mock Adjustments |
| FPF-01M | | | Inexistent Validation of Array Length Relations |
| FDR-01M | | | Inaccurate Distribution Mechanism |
| FDR-02M | |  | Unfair Fee Swaps |
| OMT-01M | | | Potentially Improper Upgrade of Main Stable Asset |
| PMR-01M | | | Incorrect Dry-Run of Ensuing Request (Double Processing of Position) |
| RTR-01M | | | Inexistent Transfer of Stake-Related Balances |
| RTR-02M | | | Invalid Multi-Asset Deposit System |
| SMH-01M | | | Incorrect SafeMath Implementation |
| SPD-01M | | | Improper Omission of Code |
| SPF-01M | | | Improper Omission of Code |
| TUP-01M | | | Inexistent Prevention of Accidentally Sent Funds |
| VTL-01M | | | Inexistent Removal of Whitelisted Token |
| VPF-01M | | | Uncommented Implementation Code |
| VPF-02M | | | Insecure Price Assumption |
| VUS-01M |  | | Inexistent Emission of Event |
| VUS-02M | | | Improper Handling of Vault Settlements |
| VUS-03M |  | | Unscalable Array Based Mechanism |
| YTN-01M | | | Inexplicable Capability of Re-Configuration |