Nayms 2
Summary
Nayms is a decentralized insurance marketplace built using the Diamond, Multi-facet Proxy architecture. The project uses three layers: facets, libraries, and storage. Facets are the entry point for the contract, libraries handle the main business logic, and all application data is stored in a single storage called AppStorage. The audit scope includes the contracts in `src/diamonds/nayms/*`. The team focused on identifying if any new threats have been introduced through changes since the [previous audit](https://certificate.quantstamp.com/full/nayms.pdf) performed by Quantstamp (commit #96adf68). We found several issues, the main ones being related to the new mechanism to upgrade the system, the way dividends are managed, the payment of premiums and the representation of internal objects using bytes32 identifiers. Regarding the project quality, the audit found that the code was easy to follow and had consistent patterns. The test quality is good. Regarding the documentation, users can easily find general information about the project but discrepancies were identified and the new system upgrade mechanism is not yet described. During the audit, our team frequently interacted with Nayms team to clarify code and expected behavior. Their active engagement in answering our questions was crucial and greatly assisted in completing the audit. Finally, we want to highlight the importance of following best practices for Key Management of admin addresses. Also, security guidelines related to the Diamond Pattern should always be considered when the code is modified. **Fix Review Update** All issues have been addressed, the issues were either fixed, mitigated or acknowledged. Most of the best practices and documentation issues were fixed. Extra tests have been added. **Deployment audit** Quantstamp performed a deployment review of the Nayms system. In this review exercise, we thoroughly examined Nayms' deployment, including the deployment script, the deployed contracts, and the privilege roles set on-chain. Our review aimed to identify any potential security vulnerabilities or issues that could compromise the integrity of the deployment. During our review, we observed some issues that require further attention. Firstly, we noticed that the bytecode mismatches with the code depending on the machine, which could potentially lead to unexpected behavior. Secondly, we found that some code changes were made outside of our previous review, and some of these changes raised new concerns. Finally, we identified some unclear and potential concerns when reviewing the dependency graphs and the roles. These issues need to be addressed to ensure the security and reliability of the project. We recommend that the team takes these findings seriously and implements the necessary measures to address these concerns promptly. That additional review resulted in 5 vulnerability issues and 1 code documentation issue that can be found in this report by searching for the tag "[Deployment Audit]". All issues have been addressed, the issues were all acknowledged.
Issues (30)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 16 | 2 | - | - | 18 |
Fixed | 5 | 4 | 3 | - | 12 |
| Total | 21 | 6 | 3 | 0 | 30 |