Call Option System V3 Security Audit

Audit Report Revisions

Audit Overview

We were tasked with performing an audit of the Myso Finance codebase and in particular their call option implementation supporting a variety of option styles.

Specifically, the system utilizes a singleton Escrow implementation with multiple initialization mechanisms that allow for the following three option types to be created:

• Dutch style auctions with a consistently lowering premium that can be immediately purchased and initialized as options by a bid that satisfies the current price of the auction
• RFQ off-chain matched options that utilize signature validation on the router level to be created and immediately paid for
• Mint options that permit an option to simply be minted without any premium payments involved

All of the aforementioned option initialization mechanisms will result in an option with the same feature set available:

• Exercise of the option at the established strike price
• Usage of the underlying funds for on-chain as well as off-chain voting
• Borrowing of underlying funds via settlement token funds
• Repaying of any borrowed debt via underlying funds to unlock the relevant settlement funds

Dutch style auction option creations will utilize an oracle to automatically establish a strike price whereas RFQ and directly minted options have a pre-determined strike price established in absolute terms.

Finally, the Router implementation itself also supports a signature-based instant swap mechanism that allows off-chain established swaps to be actuated on-chain via the same contract utilized for option creations.

We validated that all implementations conform to the specifications outlined in the documentation of the project and we did not identify any vulnerabilities that can directly affect funds.

The system has been implemented following a security-oriented approach by applying the Checks-Effects-Interactions (CEI) pattern extensively and enforcing strict access control as well as restrictions to all interactions in the system.

Over the course of the audit, we identified certain optimizations that can be applied to the code, legacy EIP-1271 support that can be introduced, as well as an option exercise path that we believe should be permitted to increase the userbase of the system.

We advise the Myso Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Myso Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.

We evaluated all alleviations performed by Myso Finance and have confirmed that all non-informational findings have either been properly alleviated or safely acknowledged.

The following informational finding remains partially addressed and should be revisited: EWO-02C

Post-Audit Conclusion (51c2ce57f6)

The Myso Finance team provided us with a commit hash to evaluate a follow-up remediative action for EWO-02C.

We identified that the exhibit has yet to be addressed in full as one more instance highlighted within it remains.

Post-Audit Conclusion (af42d4effc)

The Myso Finance team fully addressed exhibit EWO-02C in this commit by taking care of the final instance of the exhibit.

Post-Audit Conclusion (e90bdef833)

A vulnerability was identified in the Escrow contract and in particular in its borrowing and lending operations which were improperly calculating the collateral needed to borrow as well as the collateral needed to repay an open borrow position.

After discussions with the Myso Finance team, we concluded that the most optimal approach would be to correct the calculation to reflect the implementation of an option's exercise, and to ensure that borrow operations round upward whereas repay operations round downward so as to avoid any truncation-based value leaks in the system.

The Myso Finance team evaluated our proposal and proceeded to implement it in the latest commit hash of the audit report which we validated as being a correct remediation to the vulnerability identified.

Post-Audit Conclusion (6feef999af)

A potential issue was identified in the Escrow contract and in particular in the way auctions are handled.

In detail, it is possible for an Escrow owner to withdraw the funds within it when no auction bids have been performed.

As the Router contract does not prevent interactions with withdraw Escrow contracts, it would have been possible to issue a bid on an empty Escrow contract incorrectly.

The Myso Finance team proposed a balance evaluation to assess whether an Escrow has had its auction cancelled which we advised as dangerous due to the potential to affect balance measurements via direct EIP-20 asset transfers.

A new _auctionCancelled flag was ultimately introduced to the Escrow contract that is set if a withdraw occurs when the option has not been minted to properly prevent bids from occurring within it, ensuring the aforementioned misbehaviour cannot arise.

We consider all outputs of the audit report properly consumed by the Myso Finance team with no outstanding remediative actions remaining.

Audit Synopsis

Severity	Identified	Alleviated	Partially Alleviated	Acknowledged
	0	0	0	0
	7	7	0	0
	2	1	0	1
	1	1	0	0
	0	0	0	0

During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 8 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

Total Alleviations

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 🎯 Scope
• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style