Minterest Announces the Successful Completion of its Zokyo Security Audit

Security audit score

Security takes top priority at Minterest, and the protocol is subject to the highest standards of security auditing possible. In line with our mission of maintaining transparency and delivering a great product, we have engaged Zokyo to undertake an independent fourth security audit of the Minterest protocol. 

Zokyo sports sterling credentials as an end-to-end security resource that provides distinguishable security auditing and penetration testing services alongside prominent vulnerability assessments. Their team consists of world-renown hackers, cryptographers, and engineers that have focused on the nuances of cybersecurity within the blockchain space since 2016. In 2018, they were ranked #1 Smart Contract Auditing firm by Forbes.

What’s Inside the Zokyo Security Audit Report?

Extract from the audit report

The goal of the audit was to verify that the contracts function correctly and with a known level of security. To that end, Zokyo checked the code line by line. Auditors also checked the code of the contracts against their own checklist of vulnerabilities, validated the business logic of the contracts, and made sure that best practices in terms of gas spendings were applied.

Zokyo Security has concluded that the smart contract passes security qualifications to be listed on digital asset exchanges, giving it an Audit score of 93.

Extract from the audit report

According to the evaluations performed by Zokyo, 98% of the code is testable, which is above the industry standard of 95%. The total contract security was high, and the contracts were well-tested and well-written.

There were two high-severity and two low-severity and informational issues found during the manual part of the audit. One of the high-severity issues was connected to unsafe contract initializations. The other one concerned the absence of swap parameters validation.

The first issue was successfully fixed by the Minterest team, while the second will be fixed later. All other issues were successfully fixed or verified by the Minterest team.

High Severity Issues

1) Possible re-initialization of the contracts

Some of the contracts did not utilize the initializer modifier from standard OpenZeppelin contracts. 

Recommendation: Use the standard initializer modifier from OpenZeppelin in all contracts to ensure that the contract is initialized only once.

Status: Resolved

2) Swap parameters are not validated

DeadDrop.sol: function performSwap()

Those parameters that are packed in the ‘data’ bytes parameter are not validated. This can lead to some of the possible attacks.

Recommendation: Validate swap parameters. Validate the correctness of tokens, recipient, and the minAmountOut parameter.

Status: The fix will be implemented till the next audit revision. Until then, the contract will not be used.

Low Severity Issues

1) Pause on the Buyback might block protocol actions

Buyback.sol: function updateBuybackAndVotingWeights(), line 232. This function is called every time by RewardsHub.sol (in distributeSupplierMnt() and distributeBorrowerMnt()), which are called every time the user performs actions in MToken, such as deposit/borrow/repayBorrow, etc. Thus, in case Buyback.sol is set on pause, all the actions on the platform will be frozen as any transaction will revert.

Recommendation: Verify that protocol actions are not blocked due to the pause on Buyback.sol. 

Status: A ‘relaxed’ version of function was added, which doesn’t block the protocol due to pause.

2) Validation is missing

Validation is missing in the following functions: 

1) Liquidation.sol: function constructor()

2) KinkMultiplierModel.sol: function constructor()

3) MNTSource.sol: function constructor()

4) BuyBack.sol: function initialize()

Recommendation: Add necessary validation.

Status: Everything is fixed except the 4th point.

For the full version of the report, click here.

Closing Thoughts

Minterest holds to the highest levels of security in the crypto space. The broader industry has significantly stepped up measures to protect funds by employing more rigorous external and internal code audits and overall platform security processes. By undertaking a fourth security audit, Minterest has built a well-tested platform fully capable of  protecting our users and customer funds in a truly decentralized manner.

06, December 2022