Omniscia Vector Finance Audit

Core Protocol Security Audit

Audit Overview

We were tasked with auditing the codebase of Vector Finance and in particular their Platypus Finance interfacing protocol implementation with multiple complex staking and reward components.

Over the course of the audit we were able to pinpoint multiple significant vulnerabilities ranging from improper integration to incorrect unit neutralization that can compromise the system severely.

Additionally, we were able to pinpoint several gas optimizations that we advise the Vector Finance team to consider and potentially alleviate along with all vulnerabilities identified in the report.

Post-Audit Conclusion

The Vector Finance team remediated most of the exhibits outlined in the report and rendered some of them null due to the extensive refactor they performed on the latest iteration.

Namely, they adjusted the Locker's contract behaviour and they also adjusted the ComputeAPR contract by a wide margin, both of which should not be considered in scope of the audit.

Minor integration changes at the MasterChefVTX level were performed, however, the rest of the contract as well as any logic in the Locker contract that remained unaffected should be considered under scope of the audit and has had all of the issues dealt with, rendering it production ready.

Contracts Assessed

Files in ScopeRepositoryCommit(s)
Address.sol (ADD)smart-contractsf1512791d1,
9a2506435f
BaseRewardPool.sol (BRP)smart-contractsf1512791d1,
9a2506435f
ComputeAPR.sol (CAP)smart-contractsf1512791d1,
9a2506435f
ERC20.sol (ERC)smart-contractsf1512791d1,
9a2506435f
Locker.sol (LOC)smart-contractsf1512791d1,
9a2506435f
MathUtil.sol (MUL)smart-contractsf1512791d1,
9a2506435f
MainStaking.sol (MSG)smart-contractsf1512791d1,
9a2506435f
MasterChefVTX.sol (MCV)smart-contractsf1512791d1,
9a2506435f
Ownable.sol (OWN)smart-contractsf1512791d1,
9a2506435f
SafeMath.sol (SMH)smart-contractsf1512791d1,
9a2506435f
SafeERC20.sol (SER)smart-contractsf1512791d1,
9a2506435f
baseERC20.sol (CON)smart-contractsf1512791d1,
9a2506435f
poolHelper.sol (POO)smart-contractsf1512791d1,
9a2506435f
vtx.sol (VTX)smart-contractsf1512791d1,
9a2506435f
xPTP.sol (PTP)smart-contractsf1512791d1,
9a2506435f

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
Informational201713
Minor10911
Medium8701
Major2200

During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 36 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

pie title Total Issues "Major" : 2 "Medium" : 8 "Minor" : 10 "Informational" : 20

The list below covers each segment of the audit in depth and links to the respective chapter of the report: