DerivaDEX 2
Summary
DerivaDex is a DEX project that uses the diamond proxy pattern that can flexibly extend the contract by registering new "facets". The following audited "facets" are written by the DEX Labs team and are intended for potential inclusion in the DerivaDEX project via governance. Here are the list of reviewed facets within this audit: `Banner.sol`, `Checkpoint.sol`, `Collateral.sol`, `Custodian.sol`, `FundedInsuranceFund.sol`, `Registration.sol`, `Reject.sol`, `Specs.sol` and `Stake.sol`. During this audit, we reviewed the listed facets and library functions used in those facets. </br> The project's code base is nicely-written, well-modularized, and thoroughly documented with NatSpec. Also, the jupyter documentation is impressive in providing details explaining each concept and contract. However, we noticed the team uses low-level assembly code in the libraries, and specifically, the `LibStack.sol` is quite dangerous. Also, due to the complexity of the logic of the DEX itself, we found several issues during the audit. We recommend fixing all reported problems. </br> **Fix update**: The DEX Labs team fixed most of the reported issues and the best practices. We want to highlight some of the matters acknowledged: QSP-5, QSP-7, and QSP-17. The risk of those issues is relatively low, but future code changes and audits should re-examine the problems related to replay attacks and the empty values on the Sparse Merkle Tree. Lastly, we noticed a new informational issue regarding the usage of `SafeMath` after the solidity version upgrade. The team acknowledged it after bringing the matter up with the team.
Issues (23)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 9 | 2 | - | - | 11 |
Fixed | 9 | 1 | 2 | - | 12 |
| Total | 18 | 3 | 2 | 0 | 23 |