IPOR (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average.

IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol parts, specifically IporToken and Ipor mining, within a period between October 17 and November 9, 2022

UPDATE: There were release Fix review 1.1 report on November 21, 2022, Fix review 1.2 report on December 23, 2022 and Protocol naming update on January 27, 2023.


We began our review using static analysis tools, namely Slither and Wake. We then took a deep dive into the logic of the contracts. During the review, we paid particular attention to:

  • ensuring the arithmetic of the system is correct,
  • detecting possible reentrancies in the code,
  • ensuring access controls are not too relaxed or too strict,
  • looking for common issues such as data validation,
  • ensuring the token handling logic is correct.

After the manual review of the core codebase, we moved our attention to the mathematical libraries, specifically ABDK library for quadruple precision. For this part of the audit, we implemented differential fuzz tests to observe the behavior of the mathematical functions under randomized conditions. 


We performed a security review of the Ipor protocol parts, specifically IporToken and Ipor mining (John and PowerIpor contracts). The audit has been performed on the commit 01c08c3. At the client’s request, the report was divided into two parts. This report covers John and PowerIpor contracts.


Here we present our findings.

Critical severity 

No critical severity issues were found. 

High severity 

H1: Inability to unstake when the contract runs out of rewards

Medium severity

M1: Reclaiming renounced ownership

M2: Renounce ownership risk

M3: Non-programatic approach for setting constants

Low severity

No low severity issues were found. 

Warning severity 

W1: Usage of solc optimizer

Informational severity 

I1: Unnecessary usage of post-inc

I2: Inconsistent definition of iterator variables in for loops

I3: Variables should be declared as constants

I4: Lack of zero-amount check

I5: Unnecessary use _msgSedner()

I6: Confusing function name Info 1.0 Fixed

I7: Unnecessary variables creation

I8: Incorrect initialization pattern

I9: Usage of memory instead of calldata

I10: Reading length of an array in for loop

I11: Redundant use of SafeERC20 library

I12: Lack of robust contract composition

I13: Require should be assert

I14: The owner can prevent unstaking from John

I15: Code duplication

I16: Comment quality


Our review resulted in 21 findings, ranging from Info to High severity. In the protocol, no actual thread has been found, and most of the issues are about the code performance and quality. The most severe one is a trust model and handling the ownership role (see M1: Reclaiming renounced ownership or M2: Renounce ownership risk).

We recommended IPOR to:

  • carefully handle the owner role,
  • improve the code quality by adding NatSpec documentation,
  • pay more attention to the code performance and gas usage,
  • investigate further the ABDK library inconsistencies,
  • address all other reported issues.


Revision 1.1 

The fix review was done on November 21 on the given commit: 9b963ee.

The status of all reported issues has been updated, the acknowledged issue contains the client’s comments.

Revision 1.2

Based on the twitter post, The Ipor team finds that the same problematic behavior can appear in the protocol. Ackee Blockchain was asked to cooperate with the investigation and fix the vulnerability. 

The codebase was moved to the new repository IPOR-Labs/ipor-power-tokens and fix review 1.2 was performed on the commit c4eeca4 on December 22, 2022.

The status of all reported issues has been updated, the acknowledged issue contains the client’s comments.

Revision 1.3

The Ipor liquidity mining protocol was changed from the standpoint of syntax; some contracts and variables were renamed and other slight cosmetical changes were introduced. The Ipor team engaged Ackee Blockchain with the request to update the report to reflect those changes on January 27, 2023.

The time allocation for the review was 4 hours.

The goal of this revision was to check the changes and confirm that they introduced no semantical changes relative to the Revision 1.2 and that the previous audit is relevant even for the newer version of the protocol.

The protocol review was done on the main branch and the commit: 64e303a.

It is important to note that no functional testing of the contracts was done, the review was performed only on the diff against the last reviewed version.

The changed files were examined using a diff tool and no semantical changes were discovered, i.e. the protocol should function the same as in the previous iteration.

Ackee Blockchain’s full IPOR protocol audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit IPOR and look forward to working with them again.