Omniscia Vendor Finance Audit

Specialized Upgradeability Implementation Security Audit

Audit Overview

We were tasked with performing an audit of the Vendor Finance codebase and in particular their lending pool implementation coupled with surrounding infrastructure allowing an NFT based discount model on its pools.

Over the course of the audit, we identified multiple flaws in the pool implementation as well as surrounding infrastructure that we strongly advise the Vendor Finance team to deal with promptly.

We advise a close evaluation of all minor-and-above findings identified in the report and a swift remediation of them as well as the consideration of all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Vendor Finance team addressed all exhibits identified in the report via a new commit they provided us with to evaluate the delta from the original audit conducted. Supplemental material in the form of a PR was also provided indicating why certain changes out of scope of the audit were performed in the codebase as well as why the VPF-05M exhibit was not ultimately addressed.

After a second round of remediations, the Vendor Finance team concluded the audit process by providing us with their own analysis of two exhibits in the report (LPI-03M & LPI-04M) which we assessed and validated as calculations performed as safely and fairly as possible.

Contracts Assessed

Files in ScopeRepositoryCommit(s)
Address.sol (ADD)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
Context.sol (CON)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
Initializable.sol (INI)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
LendingPoolImplementation.sol (LPI)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
Ownable.sol (OWN)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
OwnableInit.sol (OIT)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
SafeERC20.sol (SER)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
VendorOracle.sol (VOE)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
VendorFeesManager.sol (VFM)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
VendorPoolFactory.sol (VPF)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50
VendorLicenseEngine.sol (VLE)vendor-contracts34efef84ed,
7f69d82a90,
a7dbb55c50

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
3300
171700
9801
5500
1100

During the audit, we filtered and validated a total of 8 findings utilizing static analysis tools as well as identified a total of 27 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

pie title Total Issues "Unknown" : 3 "Informational" : 17 "Minor" : 9 "Medium" : 5 "Major" : 1

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

Next

Compilation