Level Finance
Summary
**Update**: The high severity issues were fixed, barring LEV-1 which is marked as "Mitigated" as it warrants more work. We highly recommend the Level Finance team continue to work on documentation and tests. <br><br> **Initial audit**: Quantstamp performed an audit for the Level Finance project based on the code present in the listed repositories. We also reviewed the on-chain configuration for the deployed contracts around the time of the writing of this report. <br><br> Level Finance is a perpetuals exchange offering zero price impact trading as a key feature. It is marketed as offering traders the ability to trade position sizes up to 30 times the collateral deposited in both long and short directions. <br><br> The codebase is layered, using transactions that use multiple external calls at times. The `Pool` contract houses the liquidity for the protocol, its functions providing the means by which funds flow in and out in tandem with the associated accounting. Users can add and remove liquidity, as well as swap tokens directly with the `Pool` contract. However, traders who wish to take long and short positions with leverage must go through an external contract called `OrderManager`. Limit and market orders can be placed through `OrderManager`, and keeper bots call functions which execute these queued orders. <br><br> Level Finance also relies on an oracle contract to receive its price data. A keeper bot manages this oracle, posting price data every time an order is due to be executed, and every two minutes otherwise. Price data is streamed from Coinbase and Binance, and is validated within the contract to be within a certain price range determined by the Chainlink oracle’s posted price. <br><br> Throughout the course of the audit, 33 issues were found, with six of them being high severity. Perhaps most notably, the audited commit contained practically no test suite whatsoever. However, it was simply the case that the tests that were written were not yet published, and they were pushed to the public repository in commit `d218605`. Nonetheless, as noted in the issue, coverage remains unsatisfactory, and we strongly suggest that full coverage be in place for a contract as integral to the system as `Pool`. <br><br> Some other concerning issues found are related to the accounting surrounding short positions. It is very important that short positions are globally limited in size, as their profits have a direct negative impact on the holdings of the protocol -- should the profits be large enough, they may cause the protocol to be stuck in an error state as users try to remove liquidity. <br><br> Notably, due to the zero price impact guarantee offered by Level Finance, the protocol is vulnerable to an exploit detailed in LEV-4. A trader may engage in trades that will be a guaranteed loss for Level Finance's liquidity providers. This type of attack can be at least mitigated by limiting long and short position sizes, but one can see from the on-chain configuration that long and short position sizes are not limited for Level Finance. <br><br> Moreover, although the protocol does come with a [documentation website](https://docs.level.finance/), there is a distinct lack of detailed technical documentation. For a protocol of this size and complexity, it is important for the developers to provide this documentation for an audit. To account for this, we engaged in extensive communication with the Level Finance team to resolve our higher-level questions and concerns. However, this type of communication can never make up for the detailed explanations and guidance commonly provided by thorough technical documentation. The audit was impaired as a result. <br><br> Finally, we are concerned with the security posture of the Level Finance team. Contracts have been upgraded numerous times without auditing the new code. We recommend that future changes to the code undergo external review before upgrading contracts that are already in production. <br><br> **Notes on risks for users** In traditional finance, the word "tranche" is used to refer to securities that are grouped based on certain characteristics. Perhaps the most common are those used in the securitization of debt obligations. Senior tranches are typically regarded as the least risky, junior tranches are the most risky, and mezzanine tranches are in between. It's common that in the event of the issuer's bankruptcy or liquidation, senior tranches are paid out before the others. <br><br> It is important to note that Level Finance's use of the word "tranche" does not come with the above sort of guarantee. Instead, it refers to the way in which funds of different token types are divided up between different liquidity provider classes. The senior tranche will have no exposure to CAKE, i.e., if CAKE goes up or down in value, or the CAKE holdings of the `Pool` changes, the senior tranche's LP tokens will be worth the same amount.
Issues (32)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 14 | 3 | 1 | - | 18 |
Fixed | 8 | 2 | 4 | - | 14 |
| Total | 22 | 5 | 5 | 0 | 32 |