Primex Finance
Summary
PrimeX Finance aims to offer leveraged or spot trading on multiple decentralized exchanges (DEXs). Lenders have the option to provide liquidity to the "Buckets," allowing traders to borrow funds for leveraged trading. The position funds are held within the protocol's smart contract until they are closed and transferred. The proper functioning of the PrimeX trading market relies, in large part, on the "Keeper" role. These are users who trigger transactions when certain protocol conditions are met, e.g. liquidations, limit orders, stop losses. For market operations to effectively function it is crucial to have a significant amount of computational power behind this role. Note that anybody can run their own Keeper and the team plans on open-sourcing an implementation of a Keeper, but that code is completely outside of the scope of this audit. The project exhibits a significant level of complexity, with various modules and components for interaction. While the code is relatively easy to follow, the inherent complexity introduces several risks, and we have identified several issues during our audit. Additionally, due to the large contract codebase, we observed that validations for specific variants may be scattered across different locations, making it challenging to ensure certain protections are in place. Despite these challenges, the project demonstrates a well-architected structure, incorporating several existing safeguards, such as the oracle price divergence check. Overall, we had a positive experience working with the PrimeX Finance team. They were highly responsive and provided prompt answers to any questions or clarifications we sought during the process. We strongly recommend addressing all issues. Each fix should ideally be accompanied by test cases verifying its resolution. **Fix Review Update:** The PrimeX team has diligently addressed several fixes and changes, which we have reviewed. Their approach to resolving the issues demonstrates a high level of detail and precision. They have streamlined communication by providing us with comprehensive documentation and spreadsheets outlining all reported issues along with their corresponding pull requests. Additionally, they gave extensive, carefully reasoned responses when choosing to acknowledge and not address a particular issue. However, it is worth noting that some changes may be categorized as new features, even though they do, in fact, represent notable improvements. It is important to emphasize that this report exclusively reflects the status updates of the fixes to the issues originally included. **Deployment Review Update:** Quantstamp conducted a deployment review for the PrimeX team, encompassing an examination of their deployment scripts, configurations, and on-chain values. Key areas of focus included verifying that the values used were reasonable and within expected parameters, confirming that authorization was correctly set to maintain security and access controls, and ensuring that the on-chain bytecode matched the codebase. Throughout the review process, we encountered instances where re-deployment was necessary due to bug fixes and upgrades. Additionally, the PrimeX team expressed their intention to implement a 'testing period', which would involve post-deployment actions executed at a later stage. Consequently, our review primarily focused on the originally deployed version, with a brief examination of on-chain changes to ensure consistency and accuracy. We initiated the review with the `c37b34ee` commit of the `primex_contracts` repository and `c840207` of the `primex_artifacts` repository. After a few fixes and the re-deployment, we later reviewed some of the deployment changes in the `0ae0630` commit of the `primex_contracts` repository and the `e00f8c1` commit of the `primex_artifacts` repository. In the later review, we focused mainly on sanity-checking that the on-chain dependencies are linked correctly and also checked the values on the newly deployed Buckets. The correctness and intention of the values were not re-reviewed as those were done in the initial deployment review. PRI-55 to PRI-59 represent our findings during the deployment review process, and the team has fixed or acknowledged all reported issues. **Repository Migration/Cloning:** The PrimeX team duplicated the code from the `a3b0ce1` commit of the `primex_contracts` repository to a new repository named `primex-protocol` (accessible [here](https://github.com/primex-finance/primex-protocol)) with the commit `a8a22bcd2a`. We have duly confirmed that the contracts remain identical between the `a3b0ce1` commit of `primex_contracts` and the `a8a22bcd2a` commit of `primex-protocol`. Later, the PrimeX team also cloned the deployment artifacts from `primex_artifacts` to `primex-protocol` in `f9dee2f`. We checked the difference between the latest commit of `primex_artifacts` (`7b0dab8b`, see: [link](https://github.
Issues (59)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 17 | 6 | - | - | 23 |
Fixed | 23 | 10 | 3 | - | 36 |
| Total | 40 | 16 | 3 | 0 | 59 |