Naos-Formation
Summary
During the engagement, a high level overview of the system was provided to the auditing team, but the specification isn't complete in the technical level. We have identified a total of 16 issues, ranging from Medium to Informational Risk. Overall, the system would benefit from adding checks to the return values of external protocol and user inputs. Notably, the system uses deprecated Chainlink api and doesn't check validity of the data, which brings the risk of stale oracle price. The lack of check also made it possible to add the same adapter to the system multiple times. Lastly, due to the existence of `flushActiveVault()`and how it's used, we recommend to be cautious when integrating with external protocols and make sure the assumptions hold. We recommend addressing all issues before using the code in production. Update: As per `c125272`, Naos team provided fixes and acknowledgements for the issues. QSP-1 is partially fixed as it is still possible to migrate to the same adapter, if the adapter was not the last adapter.
Issues (16)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 2 | 2 | - | - | 4 |
Fixed | 11 | 1 | - | - | 12 |
| Total | 13 | 3 | 0 | 0 | 16 |