Overnight Finance is an asset management protocol offering passive yield products based on delta-neutral strategies, primarily for conservative stablecoin investors.
Overnight Finance engaged Ackee Blockchain to perform a security review of the Core of the protocol with a total time donation of 10 engineering days in a period between January 23 and February 3, 2023 and to perform a security review of the specific strategy contract with a total time donation of 6 engineering days in a period between February 1 and February 10, 2023.
METHODOLOGY
We began our review by using static analysis tools, namely Slither and Woke.
We then took a deep dive into the logic of the contracts.
For testing we involved Woke testing framework and Anvil development chain with a forked mainnet.
During the review, we paid special attention to:
- if the strategy is susceptible to sandwich attack
- ensuring the arithmetic of the system is correct
- detecting possible reentrancies in the code
- ensuring access controls are not too relaxed or too strict
- looking for common issues such as data validation.
SCOPE
The audit has been performed on the commit e7d61fa
on a private repository and the scope was the following:
- StrategyUs3UsdcWeth.sol
- UniswapV3StakeLibrary.sol
- AaveV3BorrowLibrary.sol
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Missing data validation
M2: Usage of deprecated function
M3: Empty receive Medium
Low severity
No low severity issues were found.
Warning severity
W1: Usage of solc
optimizer Warning
Informational severity
I1: Borrow module is missing implementation for claiming rewards
I2: Documentation
I3: Unused function parameter Info
CONCLUSION
Our review resulted in 7 findings, ranging from Info to Medium severity.
Since the scope was only the strategy contract and two of its dependencies, we have acted to other components as a black box. We also recommend performing an audit of other components. Namely, the BalanceMath contract is important for correct functionality and contracts containing public entrypoints for strategy contracts.
We recommended Overnight Finance to:
- write a more exhaustive test suite
- create proper documentation
- address all other reported issues.
Ackee Blockchain’s full Overnight Finance Core of the protocol audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Overnight Finance and look forward to working with them again.