Omniscia Tangible Audit
Cross Chain Rebasing Token Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 0354f63edd | November 23rd 2023 | d25bb39c67 |
| 0354f63edd | November 23rd 2023 | f213e5aaa6 |
| 47fbf62bbb | November 23rd 2023 | db8944cb16 |
| c98ea3cb77 | November 24th 2023 | 7e98a3f2ed |
| c98ea3cb77 | November 24th 2023 | 3f0aebd9c0 |
| 0a603a528f | January 31st 2024 | a2109b57d6 |
Audit Overview
We were tasked with performing an audit of the Tangible codebase and in particular their cross-chain LayerZero rebasing token implementation meant to power their specialized USTB token.
Over the course of the audit, we identified a significant flaw in relation to how cross-chain transfers are consumed as well as an EIP-20 discrepancy that could affect off-chain code.
We advise the Tangible team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Tangible team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Tangible and have identified that a single optimization has been improperly applied. We advise the Tangible team to revisit the following exhibits: NLA-01C
Post-Audit Conclusion (c98ea3cb77)
The Tangible team proceeded with applying the optimization described in exhibit NLA-01C correctly.
We consider all outputs of the audit report properly consumed by the Tangible team, concluding this audit engagement.
Post-Audit Conclusion (0a603a528f)
The Tangible team expanded their test suite and identified a flaw in the contract's book-keeping while executing transfers between opted out and opted in accounts in either direction.
The updated commit hash reflects a correction of this flaw as well as a cross-chain transaction prevention check, a cross-chain receiver notification mechanism, and a total supply overflow sanity check.
We evaluated the updated commit and provided an informational list of recommended changes to the Tangible team via our direct communication channels, and the Tangible team proceeded with acknowledging them.
We did not identify any new vulnerabilities in the latest changes introduced and the latest referenced commit hash can be considered covered under this audit engagement.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 13 | 6 | 0 | 7 |
 | 0 | 0 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 15 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: