Omniscia Steer Protocol Audit
Algebra Integral Position Manager Smart Rewarder Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 0d4dc69f5f | April 12th 2024 | 8d96e2a16a |
| e31556397b | April 23rd 2024 | 233594f487 |
| 9ea550ff0d | May 2nd 2024 | 493ef3ed1f |
Audit Overview
We were tasked with performing an audit of the Steer Protocol codebase and in particular their Algebra Integral Position Manager & Smart Rewarder module.
The Smart Rewarder module is meant to facilitate the disbursement of rewards to liquidity providers based on off-chain calculations by taking advantage of Merkle proofs to validate the distribution on-chain.
The SmartRewardDistributor is immune to second pre-image Merkle proof attacks due to using three arguments for constructing a Merkle leaf that sum up to a total of bytes that exceeds 64.
A severe flaw was identified in the distributor, however, arising from inexistent maintenance of the campaignCredit member per claim effectively permitting the allocation of a campaign to be exceeded and its refund to be improperly performed.
From a security perspective, we consider that the SmartRewardDistributor will interact with normal EIP-20 tokens that do not permit re-entrancy, do not rebase, and do not impose fees-on-transfer based on the whitelist it enforces.
In relation to the Algebra Integral integration, we validated its code segments in accordance to the Algebra Integral implementation and identified that the present plugin integration may become insecure if the plugin of a pool is updated; a trait permitted by the Algebra Integral codebase.
We advise the Steer Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Steer Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Steer Protocol and have identified that all exhibits have either been acknowledged or alleviated. To note, two exhibits that pertain to the security of the system have been marked as acknowledged based on secure operation of the Steer Protocol's off-chain infrastructure, in detail: SRD-02M, SRD-06M
No outstanding exhibits remain in the codebase and we consider all outputs of the audit report properly assimilated by the Steer Protocol team.
Post-Audit Conclusion (9ea550ff0d)
The Steer Protocol team produced a follow-up commit whereby the IntegralMultiPositionLiquidityManager::getPositions function was updated to the legacy position structure, and the SmartRewardsDistributor::claim function was updated to accommodate for a potential out-of-gas error that would result from a claim that would normally continue.
We confirmed the alleviation for the out-of-gas error in the SmartRewardsDistributor::claim as well as the backward compatibility of the IntegralMultiPositionLiquidityManager::getPositions structure, rendering the latest commit to inherit all security guarantees inferred by the previous audit iteration.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 2 | 1 | 0 | 1 |
 | 18 | 18 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
 | 3 | 2 | 0 | 1 |
 | 1 | 1 | 0 | 0 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 22 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: