Capital Management Protocol Security Audit

We were tasked with auditing the contracts of Tokemak and in particular, their core protocol contracts implementing a set of pools, staking solutions and more. The scope included the self-sufficient portion of the protocol's contracts and did not cover the DeFi interactions occuring within i.e. controllers.

Overall, the codebase has been coded conforming to standard Solidity programming conventions, however, we did identify a lack of upgrade-able aware development particularly in the way storage slots are defined. We strongly urge any contracts meant to be upgrade-able to inherit from a single "base" contract that defines all relevant storage slots that will be utilized throughout to prevent storage collisions.

During the audit, we uncovered primarily minor and medium issues that we believe should be remediated along with a major vulnerability in the DefiRound contract that can lead to significant loss of funds in monetary value.

During the audit, we filtered and validated a total of 9 findings utilizing static analysis tools as well as identified a total of 27 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style