Omniscia XFai Audit
Amplify Contracts Security Audit
We were tasked with auditing the codebase of XFai Labs and in particular their XFai Amplify implementation meant to represent a unique SushiSwap-based staking contract where users can provide one-sided liquidity to the native token pools.
Over the course of the audit, we were able to identify several inaccuracies as well as potential attack vectors that we strongly urge the XFai team to promptly remediate as we cannot consider the current version of the codebase production-ready.
The system is composed of a base contract that contains the necessary utility functions to convert one-sided liquidity to an LP pair that we advise the XFai team to mark as abstract as it contains no guarantees the target token that will be transacted will be the XFai token which it assumes to be so.
Overall, the concept of the XFai team is novel yet contains flaws that need to be dealt with urgently to ensure that the final output of the project will be as secure as possible.
On a side-note, we would like to note that the XFai repository exposes the Alchemy and Etherscan API keys it uses and we strongly urge the XFai team to deprecate those keys, generate new ones and keep them off the public repository.
After relaying the preliminary report to the XFai team, we deduced that certain points originally identified as flaws were intended behaviour. The XFai team remediated most of the findings pointed out by the report, rendering the codebase of the project production-ready and conformant to the latest security guidelines.
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 19 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: