Overview

Security Assessment (Summary Report) - March 28, 2024

Audit Scope

The smart contracts audited can be found on the main branch in the repository: intuition-tob-audit

Security Assessment (Summary Report) - March 28, 2024

No high severity issues found

Protocol deposit fees unaccounted for in createAtom
- Severity: Medium
- Fixed in: commit#edc4584
Triple identifiers can contain hash collisions
- Severity: Medium
- Fixed in: PR#33
Atom equity should be calculated on raw asset amounts
- Severity: Medium
- Fixed in: commit#028748d
Distributing atom equity should not include protocol fees
- Severity: Medium
- Fixed in: commit#028748d
Asset accounting should not be reduced by minShare
- Severity: Medium
- Fixed in: PR#36

createAtomCompressed allows creating duplicate atoms with the same URI
- Fixed in: commit#4d0b2ba from PR#30
Upgrade could lead to mismatch in atom wallet address prediction
- Fixed in: PR#38
createAtom mints sharesForZeroAddress twice
- Fixed in: commit#edc4584
EthMultiVault should not receive ether donations
- Fixed in: PR#24
Atom wallets can be created before the atom is created
- Fixed in: PR#29
Atom URI data is unbounded
- Fixed in: PR#32

Salt contains superfluous address(this)
- Fixed in: PR#27
Unbound storage reads in getVaultStates
- Fixed in: PR#25
EthMultiVault is missing ERC-4626 functionality
- Status: Addressed in comments
Redundant and ineffective reinitialization check
- Fixed in: PR#28
Impossible condition
- Fixed in: PR#26
Distributing atom equity should not mint new shares to receiver
- Fixed in: PR#39
getVaultStates does not retrieve counter vaults
- Fixed in: PR#25
Excessive duplicate code
- Fixed in: PR#30
Admin can bypass fee setter limits
- Fixed in: PR#34
Minting ghost shares is unnecessary to prevent share inflation attacks
- Status: Removed from report
Code Quality
- Fixed in: PR#40 and PR#41
[Weak Maturity] Decentralization
- Fixed in: PR#42 and PR#45
[Weak Maturity] Arithmetic
- Status: Addressed in comments

Last updated: April 3, 2024