Trail of Bits
Audit Open Original ↗

Frax

Type

Security review

Client

Frax Finance

Date

2021-05

Domain

Blockchain

Effort

4 wks

Section

Frax Finance

Trail of Bits's security review of Frax Finance (May 2021) identified 27 issues: 7 high, 5 low, 11 informational, and 4 undetermined.

Findings · 27

  1. 1 Transfers of collateral tokens can silently fail, causing a loss of funds High
  2. 2 Lack of two-step process for critical operations High
  3. 3 Missing events for critical operations Informational
  4. 4 Inconsistent use of the term “governance” Informational
  5. 5 Lack of zero check on functions Informational
  6. 6 Lack of return value check in veFXS may result in failed ERC20 token recovery Low
  7. 7 Lack of return value check in FXS may result in unexpected behavior Informational
  8. 8 Solidity compiler optimizations can be problematic Informational
  9. 9 Initialization functions can be front-run High
  10. 10 Lack of return value check in CurveAMO_V3 may result in failed collateral retrieval High
  11. 11 Lack of contract existence check on delegatecall will result in unexpected behavior High
  12. 12 Aragon’s voting contract does not follow voting best practices High
  13. 13 Two-block delay may not deter whale activity Informational
  14. 14 Ether can be deposited into CurveAMO_V3 but not retrieved from it Low
  15. 15 Contracts used as dependencies do not track upstream changes Low
  16. 16 External calls in loops may result in denial of service Informational
  17. 17 Lack of contract and user documentation Informational
  18. 18 Use of Solidity arithmetic may result in integer overlows Informational
  19. 19 Curve AMO assumes the collateral ratio to be constant Undetermined
  20. 20 isContract() may behave unexpectedly Informational
  21. 21 Risks related to CurveDAO architecture High
  22. 22 Pool deployment will fail if collateral token has more than 18 decimals Low
  23. 23 One-to-one minting and redeeming operations have diferent collateral ratio requirements Undetermined
  24. 24 Use of non-production-ready ABIEncoderV2 Undetermined
  25. 25 Lack of return value check in Investor AMO contract Low
  26. 26 Diferences between public repository, deployed contracts, and private repository Informational
  27. 27 Owners and governance can set fees and other parameters to any value Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related