IPOR (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average.
IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol parts, specifically IporToken and Ipor mining, within a period between October 17 and November 9, 2022.
UPDATE: There were release Fix review 1.1 report on November 21, 2022, Fix review 1.2 report on December 23, 2022 and Protocol naming update on January 27, 2023.
METHODOLOGY
We began our review using static analysis tools, namely Slither and Woke. We then took a deep dive into the logic of the contracts. During the review, we paid particular attention to:
- ensuring the arithmetic of the system is correct,
- detecting possible reentrancies in the code,
- ensuring access controls are not too relaxed or too strict,
- looking for common issues such as data validation,
- ensuring the token handling logic is correct.
After the manual review of the core codebase, we moved our attention to the mathematical libraries, specifically ABDK library for quadruple precision. For this part of the audit, we implemented differential fuzz tests to observe the behavior of the mathematical functions under randomized conditions.
SCOPE
We performed a security review of the Ipor protocol parts, specifically IporToken and Ipor mining (John and PowerIpor contracts). The audit has been performed on the commit 01c08c3. At the client’s request, the report was divided into two parts. This report covers John and PowerIpor contracts.
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
H1: Inability to unstake when the contract runs out of rewards
Medium severity
M1: Reclaiming renounced ownership
M2: Renounce ownership risk
M3: Non-programatic approach for setting constants
Low severity
No low severity issues were found.
Warning severity
W1: Usage of solc optimizer
Informational severity
I1: Unnecessary usage of post-inc
I2: Inconsistent definition of iterator variables in for loops
I3: Variables should be declared as constants
I4: Lack of zero-amount check
I5: Unnecessary use _msgSedner()
I6: Confusing function name Info 1.0 Fixed
I7: Unnecessary variables creation
I8: Incorrect initialization pattern
I9: Usage of memory instead of calldata
I10: Reading length of an array in for loop
I11: Redundant use of SafeERC20 library
I12: Lack of robust contract composition
I13: Require should be assert
I14: The owner can prevent unstaking from John
I15: Code duplication
I16: Comment quality
CONCLUSION
Our review resulted in 21 findings, ranging from Info to High severity. In the protocol, no actual thread has been found, and most of the issues are about the code performance and quality. The most severe one is a trust model and handling the ownership role (see M1: Reclaiming renounced ownership or M2: Renounce ownership risk).
We recommended IPOR to:
- carefully handle the owner role,
- improve the code quality by adding NatSpec documentation,
- pay more attention to the code performance and gas usage,
- investigate further the ABDK library inconsistencies,
- address all other reported issues.
Update:
Revision 1.1
The fix review was done on November 21 on the given commit: 9b963ee.
The status of all reported issues has been updated, the acknowledged issue contains the client’s comments.
Revision 1.2
Based on the twitter post, The Ipor team finds that the same problematic behavior can appear in the protocol. Ackee Blockchain was asked to cooperate with the investigation and fix the vulnerability.
The codebase was moved to the new repository IPOR-Labs/ipor-power-tokens and fix review 1.2 was performed on the commit c4eeca4 on December 22, 2022.
The status of all reported issues has been updated, the acknowledged issue contains the client’s comments.
Revision 1.3
The Ipor liquidity mining protocol was changed from the standpoint of syntax; some contracts and variables were renamed and other slight cosmetical changes were introduced. The Ipor team engaged Ackee Blockchain with the request to update the report to reflect those changes on January 27, 2023.
The time allocation for the review was 4 hours.
The goal of this revision was to check the changes and confirm that they introduced no semantical changes relative to the Revision 1.2 and that the previous audit is relevant even for the newer version of the protocol.
The protocol review was done on the main branch and the commit: 64e303a.
It is important to note that no functional testing of the contracts was done, the review was performed only on the diff against the last reviewed version.
The changed files were examined using a diff tool and no semantical changes were discovered, i.e. the protocol should function the same as in the previous iteration.
Ackee Blockchain’s full IPOR protocol audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit IPOR and look forward to working with them again.
