Omniscia Myso Finance Audit
Lending Protocol Security Audit
Audit Revisions
| Commit Hash | Date | Revision Hash |
|---|---|---|
| c740f7c6b5 | May 21st 2023 | 0340c7bb41 |
| 37cf23668b | May 22nd 2023 | 5be8405c19 |
| 37cf23668b | May 22nd 2023 | 07edb83987 |
Audit Overview
We were tasked with performing an audit of the Myso Finance ecosystem and in particular their zero-liquidation loan implementations that function in a peer-to-peer as well as peer-to-pool model.
Over the course of the audit, we identified multiple vulnerabilities that arise from insufficient coverage of edge cases which, while potentially difficult to manifest, could result in significant misbehaviours of the protocol.
As the project explores a novel lending and borrowing system, we analyzed it with documentational material provided to us by Myso Finance as well as our expertise in lending protocols.
We evaluated the adaptation of the Alpha Homora V2 formula in UniV2Chainlink and identified that it behaves as expected under multiple "abnormal" trading pairs (such as USDC / USDT pairs with low decimals) despite its reduced arithmetic accuracy.
In regard to the compartment modules, we evaluated that all compartments behave according to their specifications as well as the protocols they integrate with.
To this end, we identified that while the CurveLPStakingCompartment integrates properly with all versions of Curve Finance liquidity gauges (V1, V2, V3, V4, and V5 at the time of this audit), it contained a flaw when interacting with multi-token reward gauges.
We advise the Myso Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Myso Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Myso Finance and have identified that all exhibits of non-informational nature have been adequately alleviated.
Of the informational / inconsequential exhibits within the report, we have identified that the following were either acknowledged or partially alleviated: ESR-01C, LVI-01S, LVI-03C, LPF-01S, LPI-02C, FPL-03C
Post-Audit Conclusion (37cf23668b)
The Myso Finance team proceeded to acknowledge exhibit ESR-01C and alleviate all the remaining exhibits that had been improperly alleviated in the previous commit correctly.
The latest changes did not introduce any vulnerabilities to the Myso Finance system and were performed with the latest security standards and style guidelines in mind.
Contracts Assessed
| Files in Scope | Repository | Commit(s) |
|---|---|---|
| AddressRegistry.sol (ARY) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| AaveStakingCompartment.sol (ASC) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| BaseCompartment.sol (BCT) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| BorrowerGateway.sol (BGY) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| BalancerV2Looping.sol (BVL) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| Constants.sol (CST) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| ChainlinkBasic.sol (CBC) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| ChainlinkBasicWithWbtc.sol (CBW) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| CurveLPStakingCompartment.sol (CLP) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| DataTypesPeerToPeer.sol (DTP) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| DataTypesPeerToPool.sol (DTT) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| Errors.sol (ESR) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| FundingPool.sol (FPL) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| GLPStakingCompartment.sol (GLP) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| LenderVaultImpl.sol (LVI) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| LoanProposalImpl.sol (LPI) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| LenderVaultFactory.sol (LVF) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| LoanProposalFactory.sol (LPF) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| Ownable.sol (OEL) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| OlympusOracle.sol (OOE) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| QuoteHandler.sol (QHR) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| UniV3Looping.sol (UVL) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| UniV2Chainlink.sol (UVC) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
| VoteCompartment.sol (VCT) | v2 | 7755e69224, c740f7c6b5, 37cf23668b |
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 2 | 0 | 0 |
 | 40 | 39 | 0 | 1 |
 | 17 | 17 | 0 | 0 |
 | 7 | 7 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
During the audit, we filtered and validated a total of 12 findings utilizing static analysis tools as well as identified a total of 57 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: