Omniscia Nori Audit
Multiple Token Implementations Security Audit
Audit Overview
We were tasked with auditing the Nori codebase and in particular their token implementations as well as a special-purpose locked wrapped version of their bridged asset.
Over the course of the audit, we identified a significant non-compliancy with the Polygon bridged asset standards that would cause the Nori token to be disallowed admission as well as multiple ambiguities in the wrapped locked implementation that need to be addressed.
We advise the Nori team to consider all vulnerabilities identified within the report as well as the gas optimizational findings that are outlined.
Post-Audit Conclusion
The Nori team considered all of our exhibits, provided an alleviation for all of them and guaranteed that findings relating to external protocols such as Polygon are validated with the respective protocol teams.
The codebase remains slightly convoluted in the scheduling utility implementation and we advise the Nori team to consider refactoring that particular segment of the codebase.
We should note that the codebase was re-evaluated based on the existing findings and new functionality introduced in the second commit such as the batch operations are not to be considered within scope of the audit.
In the latest commit, the transfer-ability of the LockedNORI token was revoked via overridden function implementations and the documentation of the withdrawTo function was updated accordingly.
The prevention of token transfers greatly reduces the attack surface of the contract and increases its security level.
Contracts Assessed
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 2 | 0 | 0 |
 | 4 | 4 | 0 | 0 |
 | 1 | 0 | 0 | 1 |
 | 9 | 7 | 2 | 2 |
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 15 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: