Between 03.01.2022 and 14.01.2022 the Ackee Blockchain Security Team successfully performed the audit of Zunami protocol. After the audit, Ackee Blockchain recommended a re-audit, and the re-audit was performed between 16.02.2022 and 18.02.2021. The whole auditing process was performed with a total time donation of 12 engineering days. 

Zunami protocol is a multi-chain revenue aggregator for stablecoins that generate profits within the existing market using risk-free assets. 

How does the Zunami protocol work?

Zunami uses Transaction Streamlining Mechanism (TSM), reducing the commissions for individual transactions by accumulating users’ funds in one batch and distributing it according to Zunami’s strategies.

The Zunami protocol selects the most profitable strategies by monitoring APY data and making calculations. Then, the user’s funds are sent to Curve, and LP tokens are staked on Convex Finance or Yearn Finance.

Accumulated rewards in the DeFi protocol are automatically sold, and the profits are reinvested for the auto-compounding effect.

If you want to learn more about the Zunami protocol please visit the official Zunami’s documentation here.

A summary of the audit and its findings follows up.

Our audit methodology for Zunami protocol consisted of:

  1. Technical specification/documentation – a brief overview of the system is requested from the client, and the audit scope is defined.
  2. Tool-based analysis – deep check with automated Solidity analysis tools is performed.
  3. Manual code review is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.
  4. Local deployment + hacking – contracts are deployed locally, and we try to attack the system and break it.
  5. Unit testing – run unit tests to ensure that the system works as expected. Potentially we write our unit tests for specific suspicious scenarios.

In the beginning, we’ve defined the following main objectives of the audit at the start of the auditing process:

  • Check the activity on the GitHub repository.
  • Review the code quality, architecture, and best practices.
  • Check for vulnerabilities if nobody can steal funds or damage contracts.
  • Validate algorithms and math calculations for misbehaviors.
  • Check if the contracts’ owner is not overpowered.

What were our findings?

Using our toolset, manual code review, and unit testing, we’ve identified 3 low severity issues, 9 medium severity issues, 1 high severity issue, and 2 critical severity issues.

High severity issues are security vulnerabilities, which require specific steps and conditions to be exploited, or bugs that make a system unusable or unreliable. These issues had to be fixed.

Critical severity issues are direct critical security threats that could be instantly misused to attack the system and lead to the direct loss of user funds. These issues had to be fixed immediately. 

 

Based on our audit report, the Zunami team responsibly took four weeks to resolve the audit findings.

As we mentioned above, we agreed on a re-audit which was completed on 18.02.2022. In the re-audit, we reviewed whether all the findings have been fixed. 

The Zunami team correctly fixed all issues discovered in the first audit, and the codebase also improved between two audit revisions. We discovered only one new minor issue.

We were delighted to audit Zunami protocol– a multi-chain revenue aggregator for stablecoins. We are looking forward to working with them again. Because of the high number and severity of discovered findings we recommend regular audits in the future.

The full Ackee Blockchain audit report is here:
Zunami Protocol/AckeeBlockchain-audit