AlphaHomoraV2
Summary
Quantstamp has performed a security audit of the AlphaHomoraV2 project. During auditing, we found fifteen potential issues of various levels of severity: four high-severity issues, two medium-severity issues, four low-severity issues, four informational-severity findings, and one undetermined-severity finding. We also made eleven best practices recommendations. Overall, the code comment is good for this project. The documentation of the project is insufficient and the quality of the audit could be largely improved if there were more specifications that describe all the intended behaviors and precision requirements. Also, the inclusion of extensive tests and/or formal methods to assure extensive quality and behavior could also help. Normally attackers would use fuzzing techniques to find holes in any smart contract logic with substantial value locked. Avoid implementing your own arithmetic like fixed-point arithmetic, use existing implementations or standards is also advantageous to help increase the security. The Solidity Coverage does not work due to the project setup. We strongly recommend the Alpha team to find a way to fix this and obtain a code coverage report that states that all the code coverage values are at least 90% before go live, to reduce the potential risk of having functional bugs in the code. To summarize, given the dense logic, many integrations, oracle logic, borrowing, many new features and sparse documentation there are very likely still issues that we are not able to find. Quantstamp has on a best efforts basis identified 15 total issues, with 3 auditors performing audits side-by-side, however we highly suggest getting more reviews before launching v2. In particular we suggest writing many more tests, and checking for edge cases with the business logic, especially around the integrations. **disclaimer**: The project scope. Quantstamp was requested to only audit `HomoraBank.sol`, everything in the `oracle` folder, and everything in the `spell` folder. **2021-01-13 update**: during this reaudit, Alpha team has either brought the status of findings into fixed or acknowledged. A number of new files were added to this commit and not included in the scope of the audit. It is worth noting that there is still no unit tests and no coverage report for this project.
Issues (15)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 5 | - | - | - | 5 |
Fixed | 4 | 2 | 4 | - | 10 |
| Total | 9 | 2 | 4 | 0 | 15 |