IPOR (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average.
IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol parts, specifically IporToken and Ipor mining, within a period between October 17 and November 9, 2022 for Revision 1.0. This report covers IporToken contract, the fix review (Revision 1.1) was done on November 21 on the given commit: a1a3657 in a public repository.
METHODOLOGY
We began our review using static analysis tools, namely Slither and Woke. We then took a deep dive into the logic of the contracts.
During the review, we paid particular attention to:
- ensuring the arithmetic of the system is correct,
- detecting possible reentrancies in the code,
- ensuring access controls are not too relaxed or too strict,
- looking for common issues such as data validation,
- ensuring the token handling logic is correct.
SCOPE
We performed a security review of the Ipor protocol parts, specifically IporToken and Ipor mining (John and PowerIpor contracts), the audit has been performed on the commit 01c08c3. At the client’s request, the report was divided into two parts. This report covers IporToken contract only. The fix review (Revision 1.1) was done on the given commit: a1a3657 in a public repository.
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
No low severity issues were found.
Warning severity
W1: Usage of solc optimizer
Informational severity
I1: Redundant inheritance of Ownable
CONCLUSION
Our review resulted in 2 findings ranging from Info to Warning severity. In the protocol, no actual thread has been found, and most issues are about the code performance and quality.
We recommended IPOR to:
- improve the code quality by adding NatSpec documentation,
- pay more attention to the code performance and gas usage,
- address all reported issues.
Update: During Report Revision 1.1 no significant changes were performed in the contract, and no new vulnerabilities were found. One reported issue was fixed, and the second one was acknowledged.
Ackee Blockchain’s full IPOR protocol audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit IPOR and look forward to working with them again.
