{"id":508,"date":"2023-05-30T10:45:27","date_gmt":"2023-05-30T08:45:27","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=508"},"modified":"2024-05-16T12:48:17","modified_gmt":"2024-05-16T10:48:17","slug":"ipor-poweripor-liquiditymining-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/ipor-poweripor-liquiditymining-audit-summary\/","title":{"rendered":"IPOR: PowerIpor, LiquidityMining audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/www.ipor.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">IPOR<\/span><\/a><span style=\"font-weight: 400;\"> (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol parts, specifically <strong>IporToken<\/strong> and<strong> Ipor mining<\/strong>, within a period between <\/span><b>October 17<\/b><span style=\"font-weight: 400;\"> and <\/span><b>November 9<\/b><span style=\"font-weight: 400;\">, <strong>2022<\/strong>.\u00a0<\/span><\/p>\n<p><b>UPDATE:<\/b><span style=\"font-weight: 400;\"> There were release <strong>Fix review 1.1<\/strong> report on <strong>November 21, 2022<\/strong>, <strong>Fix review 1.2 report<\/strong> on<strong> December 23, 2022<\/strong> and Protocol naming update on <strong>January 27, 2023<\/strong>.<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review using static analysis tools, namely Slither and <a href=\"https:\/\/ackeeblockchain.com\/blog\/woke-our-development-and-testing-framework-for-solidity\/\">Wake<\/a>. We then took a deep dive into the logic of the contracts. During the review, we paid particular attention to:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> ensuring the arithmetic of the system is correct,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> detecting possible reentrancies in the code,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring access controls are not too relaxed or too strict,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> looking for common issues such as data validation,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring the token handling logic is correct.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">After the manual review of the core codebase, we moved our attention to the mathematical libraries, specifically ABDK library for quadruple precision. For this part of the audit, we implemented differential fuzz tests to observe the behavior of the mathematical functions under randomized conditions.\u00a0<\/span><\/p>\n<p><b>SCOPE\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We performed a security review of the Ipor protocol parts, specifically IporToken and Ipor mining (John and PowerIpor contracts). The audit has been performed on the commit 01c08c3. At the client\u2019s request, the report was divided into two parts. This report covers John and PowerIpor contracts.<\/span><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><b>H1: <\/b><span style=\"font-weight: 400;\">Inability to unstake when the contract runs out of rewards<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1:<\/b><span style=\"font-weight: 400;\"> Reclaiming renounced ownership<\/span><\/p>\n<p><b>M2: <\/b><span style=\"font-weight: 400;\">Renounce ownership risk<\/span><\/p>\n<p><b>M3:<\/b><span style=\"font-weight: 400;\"> Non-programatic approach for setting constants<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><b>W1: <\/b><span style=\"font-weight: 400;\">Usage of solc optimizer<\/span><\/p>\n<h5><b>Informational severity\u00a0<\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Unnecessary usage of post-inc<\/span><\/p>\n<p><b>I2:<\/b><span style=\"font-weight: 400;\"> Inconsistent definition of iterator variables in for loops<\/span><\/p>\n<p><b>I3: <\/b><span style=\"font-weight: 400;\">Variables should be declared as constants<\/span><\/p>\n<p><b>I4: <\/b><span style=\"font-weight: 400;\">Lack of zero-amount check<\/span><\/p>\n<p><b>I5: <\/b><span style=\"font-weight: 400;\">Unnecessary use _msgSedner()<\/span><\/p>\n<p><b>I6:<\/b><span style=\"font-weight: 400;\"> Confusing function name Info 1.0 Fixed<\/span><\/p>\n<p><b>I7:<\/b><span style=\"font-weight: 400;\"> Unnecessary variables creation<\/span><\/p>\n<p><b>I8:<\/b><span style=\"font-weight: 400;\"> Incorrect initialization pattern<\/span><\/p>\n<p><b>I9:<\/b><span style=\"font-weight: 400;\"> Usage of memory instead of calldata<\/span><\/p>\n<p><b>I10: <\/b><span style=\"font-weight: 400;\">Reading length of an array in for loop<\/span><\/p>\n<p><b>I11:<\/b><span style=\"font-weight: 400;\"> Redundant use of SafeERC20 library<\/span><\/p>\n<p><b>I12:<\/b><span style=\"font-weight: 400;\"> Lack of robust contract composition<\/span><\/p>\n<p><b>I13:<\/b><span style=\"font-weight: 400;\"> Require should be assert<\/span><\/p>\n<p><b>I14:<\/b><span style=\"font-weight: 400;\"> The owner can prevent unstaking from John<\/span><\/p>\n<p><b>I15:<\/b><span style=\"font-weight: 400;\"> Code duplication<\/span><\/p>\n<p><b>I16: <\/b><span style=\"font-weight: 400;\">Comment quality<\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>21 findings<\/b><span style=\"font-weight: 400;\">, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">High<\/span><\/i><span style=\"font-weight: 400;\"> severity. In the protocol, no actual thread has been found, and most of the issues are about the code performance and quality. The most severe one is a trust model and handling the ownership role (see M1: Reclaiming renounced ownership or M2: Renounce ownership risk).<\/span><\/p>\n<p><b>We recommended IPOR to:<\/b><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> carefully handle the owner role,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> improve the code quality by adding NatSpec documentation,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> pay more attention to the code performance and gas usage,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> investigate further the ABDK library inconsistencies,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> address all other reported issues.<\/span><\/li>\n<\/ul>\n<p><b>Update:\u00a0<\/b><\/p>\n<p><b>Revision 1.1<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The fix review was done on<\/span><b> November 21<\/b><span style=\"font-weight: 400;\"> on the given commit: 9b963ee.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The status of all reported issues has been updated, the acknowledged issue contains the client\u2019s comments.<\/span><\/p>\n<p><b>Revision 1.2<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Based on the<\/span> <a href=\"https:\/\/twitter.com\/paradigmeng420\/status\/1601873034054279169?s=46&amp;t=3qccfbaPb8Ee7YpATZKM5Q\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">twitter post<\/span><\/a><span style=\"font-weight: 400;\">, The Ipor team finds that the same problematic behavior can appear in the protocol. Ackee Blockchain was asked to cooperate with the investigation and fix the vulnerability.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The codebase was moved to the new repository IPOR-Labs\/ipor-power-tokens and fix review 1.2 was performed on the commit c4eeca4 on December 22, 2022.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The status of all reported issues has been updated, the acknowledged issue contains the client\u2019s comments.<\/span><\/p>\n<p><b>Revision 1.3<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The Ipor liquidity mining protocol was changed from the standpoint of syntax; some contracts and variables were renamed and other slight cosmetical changes were introduced. The Ipor team engaged Ackee Blockchain with the request to update the report to reflect those changes <\/span><b>on January 27, 2023<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The time allocation for the review was 4 hours.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The goal of this revision was to check the changes and confirm that they <\/span><span style=\"font-weight: 400;\">introduced no semantical changes relative to the Revision 1.2 and that the <\/span><span style=\"font-weight: 400;\">previous audit is relevant even for the newer version of the protocol.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The protocol review was done on the main branch and the commit: 64e303a.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It is important to note that no functional testing of the contracts was done, <\/span><span style=\"font-weight: 400;\">the review was performed only on the diff against the last reviewed version.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The changed files were examined using a diff tool and no semantical changes were discovered, i.e. the protocol should function the same as in the previous iteration.<\/span><\/p>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>IPOR protocol<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/drive.google.com\/file\/d\/1sM2YLOIyHO5_5YBENIPV10kwu20dso01\/view\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> IPOR<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IPOR (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average. IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol&hellip;<\/p>\n","protected":false},"author":15,"featured_media":510,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,24,110,104],"class_list":["post-508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-ethereum","tag-ipor","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/IPOR-Liquidity-Mining-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/IPOR-Liquidity-Mining-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=508"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/510"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}