37dccabf5aa3697dce5eaf6457debb3ac7404fdd<\/code>, the hack<\/a> was performed by a donation (price manipulation) into strategy MimCurveStakeDAO (step 3<\/a>) that was first added in commit 6df0ae533a718a34df70984d745cc2d70fb7172d<\/code>, 28,296 additions ahead of this audit.<\/p>\nZunami Protocol<\/a> is a multi-chain revenue aggregator for stablecoins<\/strong> that generate profits within the existing market using risk-free assets.\u00a0<\/span><\/p>\nIt uses Transaction Streamlining Mechanism (TSM), reducing the commissions for individual transactions by accumulating users’ funds in one batch<\/strong> and distributing it according to Zunami’s strategies.<\/span><\/p>\n ![\"\"](\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2022\/02\/Sni\u0301mek-obrazovky-2022-02-22-v-14.55.57-1.png\")
<\/span><\/p>\nThe Zunami Protocol selects the most profitable strategies<\/strong> by monitoring APY data and making calculations. Then, the users’ funds are sent to <\/span>Curve<\/span><\/a>, and LP tokens are staked on <\/span>Convex Finance<\/span><\/a> or <\/span>Yearn Finance<\/span><\/a>.<\/span><\/p>\nAccumulated rewards in the DeFi protocol are automatically sold, and the profits are reinvested for the auto-compounding effect.<\/span><\/p>\nTo learn more about the <\/span>Zunami Protocol, read the official\u00a0documentation<\/strong><\/span>\u00a0here<\/strong><\/span><\/a>.<\/span><\/p>\nAbout the audit<\/h4>\n\n\n\n\nAckee Blockchain security team, engaged by Zunami Protocol, performed an audit<\/a> of several contracts between January 3 and January 14, 2022<\/strong>. The entire audit process was conducted with a total time donation of 12 engineering days<\/strong>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\nAt the beginning of the\u00a0audit<\/span>, the\u00a0following\u00a0main objectives\u00a0<\/b>were defined:<\/p>\n\n- Check the activity on the GitHub repository.<\/span><\/li>\n
- Review the code quality, architecture, and best practices.<\/span><\/li>\n
- Check for vulnerabilities if nobody can steal funds or damage contracts.<\/span><\/li>\n
- Validate algorithms and math calculations for misbehaviors.<\/span><\/li>\n
- Check if the contract’s owner is not overpowered.<\/span><\/li>\n<\/ul>\n
The audit methodology for Zunami Protocol consisted of:<\/p>\n
\n\n\n\n\n- Technical specification\/documentation<\/strong> – a brief overview of the system is requested from the client, and the audit scope is defined.<\/li>\n
- Tool-based analysis<\/strong> – deep check with automated Solidity analysis tools is performed.<\/li>\n
- Manual code review<\/strong> – the code is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.<\/li>\n
- Local deployment + hacking<\/strong> – contracts are deployed locally, and we try to aack the system and break it.<\/li>\n
- Unit testing<\/strong> – run unit tests to ensure that the system works as expected. Potentially we write our unit tests for specific suspicious scenarios.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
Findings<\/b><\/h4>\n
Using the toolset, manual code review, and unit testing led to\u00a0the following\u00a0<\/b>findings<\/b><\/a>:<\/p>\n\n- L1: Inconsistent iteration statement syntax\u00a0<\/span><\/li>\n
- L2: Hardcoded token index<\/span><\/li>\n
- L3: Confusing modifier naming<\/span><\/li>\n
- M1: Unused virtual keyword<\/span><\/li>\n
- M2: Public functions can be external<\/span><\/li>\n
- M3: State variable could be local<\/span><\/li>\n
- M4: Missing const<\/span><\/li>\n
- M5: Unused variables<\/span><\/li>\n
- M6: Code duplication<\/span><\/li>\n
- M7: Interface issues<\/span><\/li>\n
- M8: Unintended feature – Renounce ownership<\/span><\/li>\n
- M9: Missing const<\/span><\/li>\n
- H1: Management fee rewriting<\/span><\/li>\n
- C1: Bug in the logic – wrong pool id<\/span><\/li>\n
- C2: Rewriting deposit amounts<\/span><\/li>\n<\/ul>\n
![\"\"](\"https:\/\/raw.githubusercontent.com\/RektHQ\/Assets\/main\/images\/2023\/01\/zunami-steps.png\")
<\/span><\/p>\n