{"id":490,"date":"2023-03-14T13:40:06","date_gmt":"2023-03-14T11:40:06","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=490"},"modified":"2024-05-16T13:19:03","modified_gmt":"2024-05-16T11:19:03","slug":"overnight-finance-usd-and-ets-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/overnight-finance-usd-and-ets-audit-summary\/","title":{"rendered":"Overnight Finance: USD+ and ETS Audit Summary"},"content":{"rendered":"<p><a href=\"https:\/\/overnight.fi\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Overnight Finance<\/span><\/a><span style=\"font-weight: 400;\"> is an <\/span><b>asset management protocol<\/b><span style=\"font-weight: 400;\"> offering passive yield products based on <\/span><b>delta-neutral strategies<\/b><span style=\"font-weight: 400;\">, primarily for conservative stablecoin investors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><strong>Overnight Finance<\/strong> engaged Ackee Blockchain to perform <strong>a security review<\/strong> of the <\/span><a href=\"https:\/\/2173993027-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F9HhCCgYexXiRot0OWAJY%2Fuploads%2FCKqeV09QHnfTVum3rtBd%2Fabch-ovn-core-report.pdf?alt=media&amp;token=2eb0419d-4695-43a0-ba2f-f3caebfc75b4\" target=\"_blank\" rel=\"noopener\"><b>Core of the protocol <\/b><\/a><span style=\"font-weight: 400;\">with a total time donation of <\/span><b>10<\/b><span style=\"font-weight: 400;\"><strong> engineering days<\/strong> in a period between January 23 and February 3, 2023 and to perform <strong>a security review<\/strong> of the <\/span><a href=\"https:\/\/2173993027-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F9HhCCgYexXiRot0OWAJY%2Fuploads%2FPQRbG4kNgPUy27VqNsuR%2Fabch-ovn-ets-report.pdf?alt=media&amp;token=040c4794-3917-459c-9bc6-9a178918d660\" target=\"_blank\" rel=\"noopener\"><b>specific strategy contract<\/b><\/a><span style=\"font-weight: 400;\"> with a total time donation of <\/span><b>6<\/b><span style=\"font-weight: 400;\"><strong> engineering days<\/strong> in a period between February 1 and February 10, 2023.<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using <\/span><b>static analysis tools<\/b><span style=\"font-weight: 400;\">, namely <\/span><a href=\"https:\/\/github.com\/crytic\/slither\" target=\"_blank\" rel=\"noopener\"><b>Slither<\/b><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/github.com\/Ackee-Blockchain\/woke\" target=\"_blank\" rel=\"noopener\"><b>Wake<\/b><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We then took a deep dive into the <strong>logic of the contracts<\/strong>.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For testing we involved <\/span><strong><a title=\"Woke, development &amp; testing framework for Solidity\" href=\"https:\/\/ackeeblockchain.com\/blog\/woke-our-development-and-testing-framework-for-solidity\/\">Wake<\/a><\/strong><span style=\"font-weight: 400;\"><strong> testing framework<\/strong> and <strong>Anvil<\/strong> development chain with a forked mainnet.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid special attention to:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> if the strategy is susceptible to <strong>sandwich attack<\/strong><\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring the <strong>arithmetic<\/strong> of the system <strong>is correct<\/strong><\/span><\/li>\n<li><span style=\"font-weight: 400;\"> detecting possible <strong>reentrancies<\/strong> in the code<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring <strong>access controls<\/strong> are not too relaxed or too strict<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> looking for <strong>common issues<\/strong> such as data validation.<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <code>e7d61fa<\/code> on a private repository and the scope was the following:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> StrategyUs3UsdcWeth.sol\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> UniswapV3StakeLibrary.sol\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> AaveV3BorrowLibrary.sol<\/span><\/li>\n<\/ul>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">M1: Missing data validation\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">M2: Usage of deprecated function\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">M3: Empty receive Medium\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.<\/span><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p>W1:<span style=\"font-weight: 400;\"> Usage of <\/span><code>solc<\/code><span style=\"font-weight: 400;\"> optimizer Warning\u00a0<\/span><\/p>\n<h5><b>Informational severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">I1: Borrow module is missing implementation for claiming rewards<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I2: Documentation<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I3: Unused function parameter Info\u00a0<\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <strong>7 findings<\/strong>, ranging from <strong>Info<\/strong> to <strong>Medium<\/strong> severity.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Since the scope was <strong>only the strategy contract<\/strong> and <strong>two of its dependencies<\/strong>, we have acted to other components as <strong>a black box.<\/strong> We also recommend performing an audit of other components. Namely, the <strong>BalanceMath<\/strong> contract is important for correct functionality and contracts containing public entrypoints for strategy contracts.<\/span><\/p>\n<p><b>We recommended Overnight Finance to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">write a more exhaustive test suite<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">create proper documentation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues.<\/span><\/li>\n<\/ul>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>Overnight Finance Core of the protocol<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/2173993027-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F9HhCCgYexXiRot0OWAJY%2Fuploads%2FPQRbG4kNgPUy27VqNsuR%2Fabch-ovn-ets-report.pdf?alt=media&amp;token=040c4794-3917-459c-9bc6-9a178918d660\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> Overnight Finance<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overnight Finance is an asset management protocol offering passive yield products based on delta-neutral strategies, primarily for conservative stablecoin investors. Overnight Finance engaged Ackee Blockchain to perform a security review of the Core of the protocol with a total time donation of 10 engineering days in a period between January 23 and February 3, 2023 and to perform a security review of&hellip;<\/p>\n","protected":false},"author":15,"featured_media":491,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,80,103],"tags":[21,24,122,104],"class_list":["post-490","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solidity","category-wake","tag-audit","tag-ethereum","tag-overnight-finance","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/03\/Overnight-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/03\/Overnight-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=490"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/490\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/491"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}