Saddle Finance
Summary
Quantstamp has performed a security review of the Saddle Finance implementation of StableSwap. It is important to note that this implementation is ported from `SwapTemplateBase.vy` in the Curve Finance contracts, which was used as a reference during the review. In total 14 security issues spanning across all severity levels were identified, along with a few deviations from the specification, code documentation issues and best practice issues. Due to the poor documentation we were not able to determine how the developers have derived some of the implemented formulas from the StableSwap whitepaper. Additionally, we have noticed that all tests in the current test suite use exactly 2 tokens in the pool. We strongly recommend adding more tests that use 3 or more tokens and addressing all identified issues before deploying the code in production. <br><br> **Update:** Quantstamp has reviewed the changes to the code corresponding to commit hash `5a56e24` and has updated the status of all 14 issues which were previously identified. Additionally, we have identified 4 new issues in the newly added code. These new issues were added after the existing issues and their identifiers are between QSP-15 to QSP-18. <br><br> **Update:** Quantstamp has reviewed the changes to the code corresponding to commit hashes `ebec9fd`, `759c028`, `33baaaa`. The main focus of these iterations was improving the existing test suite to verify the impact of QSP-15 and the newly added QSP-19.
Issues (19)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 5 | 2 | - | - | 7 |
Fixed | 9 | 2 | 1 | - | 12 |
| Total | 14 | 4 | 1 | 0 | 19 |