LEECH is a cross chain protocol that enables multi -to -yield agricultural agricultural agricultural agricultural agricultural agricultural agricultural agricultural agricultural agricultural agricultural agricultural strategies.
methodology
We started reviewing using the contained static analysis tools. Wake up. Then I dive about the logic of the contract. After writing a simple unit test, we prepared A Manually derived differential forking fuzz test Protocol implementation and integration with external dependencies, including Velodrome V2 and Velodrome V3.
range
The audit was conducted on the strategy and commit strategy of the Velodrome V2 and Velodrome V3. ba2a75. The range is as follows:
- Contract/Core /Leechrouter.sol
- Contract/Core /Leechswapper.sol Contracts/Core/Banlist.sol Contracts/Core/Rewarder/Rewer.sol
- Contract/Strategy/BASESTRATE.SOL
- Contract/Strategy/Agriculture/Velodrome/Strategy Velodromev2stableFarm.sol
- Contract/Strategy/Agriculture/Velodrome/Strategy Velodromev2stablechid
- Contract/Strategy/Agriculture/Velodromev3/Strategy Velodromev3stableFarm.sol
- Contract/Strategy/Agriculture/Velodromev3/Strategy Velodromev3_USDC_LUSD.SOL
- Contract/Strategy/Agriculture/Velodromev3/Strategy Velodromev3_USDC_SDAI.SOL
- Contract/Strategy/Agriculture/Velodromev3/Strategy Velodromev3_usdc_susd.sol
The second amendment was performed at Commit. caafd3C1 correction has been included. Then the third amendment was performed at Commit. 4245d0Review of H1.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. warning or Information provision Severe rating.
Audit occurred 32 total results It ranges from information to important seriousness.. It was confirmed using 12 Wake upStatic analysis. The detailed output of WAKE Complete appreciation summary.
I confirmed the following during manual review.
- External calls for unreliable contracts cannot be abused for re -creation.
- Cross chain interaction is implemented correctly.
- Arithmetic of internal accounting is correct.
- Access control is not too comfortable or strict.
- Token arithmetic inside the protocol matches documents and expectations.
- The integration with external dependencies is implemented correctly. and
- There are common problems such as data verification.
The most serious discovery C1 uses the cross chain. LeechRouter Due to the non -commerce of cross chain transactions run by the protocol. This important vulnerability has been found in the already deployed LEECH protocol agreement. In several chains, including optimism and Binance smart chain.
Ackee Blockchain Security started the immediate responsible disclosure in LEECH as soon as the result was found. Thanks to the rapid participation, all assets were protected by pause the cross chain transactions.
Threshold
C1: Lack of nuclear power in cross -chain transactions
The severity is high
H1: Donation Attack
Intermediate
M1: data.swapperAddress Not confirmed withdraw function
M2: The initialization function is vulnerable to the forefront
M3: strategy.poolShare Properties are not properly checked
Low severity
L1: If the bridge is not configured, no error has been reported.
L2: You can overwrite the pool configuration data
L3: Oracle Price Feed Data Validation Missing
L4: The external interaction with the chain link is not properly processed.
L5: Step 2 ownership is not used
Significance of warning
W1: Use transfer instead call
W2: Use directly token balance inspection balanceof(address(this)) Propose a security risk
W3: getter of pools It does not return all members of the complex structure
W4: Unnecessary token exchange in the withdrawal process
W5: The period of time overlaps in the reward distribution
W6: Account abstraction users cannot receive unused funds
W7: missing storage spacing
Information seriousness
I1: console.log Statement presented in the production code
I2: Declaration of unused custom error
i3: Unused Event Declaration
I4: Automatic computer function lacks access control
I5: Unused contract function
I6: Unused income
i7: Unused modification
i8: Not used using for
I9: Innocent msg.sender Verification of the role of pause function
i10: initializePosition Velodrome v3 strategy functions must be externally
I11: Unused functional parameters
i12: Inn unconsistent parameter name designation setRoutes Function in the Velodrome strategy
I13: Multiple Integrated Code that does not exist in the code base
i14: Unused interface and library
I15: Incorrect event name of Natspec documentation
Trust model
Users must trust.
- Protocol FinalizerOff chain components that finish the cross chain transaction and take charge of withdrawal of all protocol funds; and
- The LEECH protocol team correctly allocates yield compensation.
RewarderContract because there is no automatic compensation collection mechanism.
conclusion
The most serious discovery C1 uses the cross chain. LeechRouter Due to the non -commerce of cross chain transactions run by the protocol. This important vulnerability has been found in the already deployed LEECH protocol agreement. In several chains, including optimism and Binance smart chain.
Ackee Blockchain Security started the immediate responsible disclosure in LEECH as soon as the result was found. Thanks to the rapid participation, all assets were protected by pause the cross chain transactions.
AcKee Blockchain Security recommends Leech.
- Interesting the design of cross chain transactions in the protocol;
- All chains Link Feed registry contracts that Leech maintain must provide the latest price feed and comply with the expected behavior.
- Do not use
.balanceOf(address(this))Instead, directly calculate the token amount. and - Solve all other reports.
You can find the full LeECH audit report of AcKee Blockchain Security. here.
We were happy to be grateful for LEECH and expect to work with them again.