Trail of Bits
Audit Open Original ↗

Umee

Type

Security review

Client

Umee

Date

2022-02

Domain

Blockchain

Effort

8 wks

Section

Tendermint/Cosmos

Trail of Bits's security review of Umee (Feb 2022) identified 35 issues: 6 high, 9 medium, 6 low, 8 informational, and 6 undetermined.

Findings · 35

  1. 1 Integer overflow in Peggo's deploy-erc20-raw command Informational
  2. 2 Rounding of the standard deviation value may deprive voters of rewards Low
  3. 3 Vulnerabilities in exchange rate commitment scheme Low
  4. 4 Validators can crash other nodes by triggering an integer overflow High
  5. 5 The repayValue variable is not used after being modified Undetermined
  6. 6 Inconsistent error checks in GetSigners methods Informational
  7. 7 Incorrect price assumption in the GetExchangeRateBase function High
  8. 8 Oracle price-feeder is vulnerable to manipulation by a single malicious price feed High
  9. 9 Oracle rewards may not be distributed Informational
  10. 10 Risk of server-side request forgery attacks Medium
  11. 11 Incorrect comparison in SetCollateralSetting method High
  12. 12 Voters’ ability to overwrite their own pre-votes is not documented Informational
  13. 13 Lack of user-controlled limits for input amount in LiquidateBorrow Medium
  14. 14 Lack of simulation and fuzzing of leverage module invariants Medium
  15. 15 Attempts to overdraw collateral cause WithdrawAsset to panic Low
  16. 16 Division by zero causes the LiquidateBorrow function to panic Low
  17. 17 Architecture-dependent code Informational
  18. 18 Weak cross-origin resource sharing settings Informational
  19. 19 price-feeder is at risk of rate limiting by public APIs Medium
  20. 20 Lack of prioritization of oracle messages Medium
  21. 21 Risk of token/uToken exchange rate manipulation High
  22. 22 Collateral dust prevents the designation of defaulted loans as bad debt Low
  23. 23 Users can borrow assets that they are actively using as collateral Undetermined
  24. 24 Providing additional collateral may be detrimental to borrowers in default Informational
  25. 25 Insecure storage of price-feeder keyring passwords Medium
  26. 26 Insucient validation of genesis parameters Low
  27. 27 Potential overflows in Peggo's current block calculations Informational
  28. 28 Peggo does not validate Ethereum address formats Undetermined
  29. 29 Peggo takes an Ethereum private key as a command-line argument Medium
  30. 30 Peggo allows the use of non-local unencrypted URL schemes Medium
  31. 31 Lack of prioritization of Peggo orchestrator messages Undetermined
  32. 32 Failure of a single broadcast Ethereum transaction causes a batch-wide failure Undetermined
  33. 33 Peggo orchestrator’s IsBatchProfitable function uses only one price oracle Medium
  34. 34 Rounding errors may cause the module to incur losses High
  35. 35 Outdated and vulnerable dependencies Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related