Trail of Bits
Audit Open Original ↗

wALGO

Type

Security review

Client

StakerDao

Date

2020-11

Domain

Blockchain

Effort

4 wks

Section

Algorand

Trail of Bits's security review of StakerDao (Nov 2020) identified 14 issues: 8 high, 2 medium, 3 low, and 1 informational.

Findings · 14

  1. 1 Anyone can update or delete the app-vault High
  2. 2 Lack of clear state program check allows any vault to be drained High
  3. 3 Missing RekeyTo on mint operations allows vault owner to withdraw all the Algo from the vault High
  4. 4 Missing RekeyTo on burn operations allows vault owner to withdraw all the Algo from the vault High
  5. 5 Minter can be abused to avoid paying the burned wAlgo High
  6. 6 Incorrect vault bytecode usage High
  7. 7 Code does not match High
  8. 8 Undocumented privileged operations High
  9. 9 Anyone can burn all the minter’s Algo Medium
  10. 10 With no fee consideration for burning operations the system is undercollateralized Medium
  11. 11 Attackers can prevent a user from opening a vault Low
  12. 12 Bad practices for exception handling in the test suite Low
  13. 13 Insuficient testing coverage Low
  14. 14 Hardcoded ASA_ID value is error-prone Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related