Jigsaw Protocol v1 - Jigsaw Finance


Prepared by:

Halborn Logo

HALBORN

Last Updated 09/20/2024

Date of Engagement: August 19th, 2024 - September 20th, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

9

Critical

1

High

2

Medium

2

Low

2

Informational

2


1. Introduction

The Jigsaw Finance team engaged Halborn to conduct a security assessment on their stablecoin project, beginning on August 19, 2024, and ending on September 20, 2024. The security assessment was scoped to cover the entire jigsaw-protocol-v1 GitHub repository, located at https://github.com/jigsaw-finance/jigsaw-protocol-v1, commit 96fb13e5b6db3f6d186743cf61d34c852ff13d70.


2. Assessment Summary

The team at Halborn was provided five weeks for the engagement and assigned one full-time security engineer to assess the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to achieve the following:

    • Ensure that the system operates as intended.

    • Identify potential security issues.

    • Identify lack of best practices within the codebase.

    • Identify systematic risks that may pose a threat in future releases.

In summary, Halborn identified some security issues that were successfully addressed by the Jigsaw Finance team.

3. SCOPE

Files and Repository
(a) Repository: jigsaw-protocol-v1
(b) Assessed Commit ID: 96fb13e
(c) Items in scope:
  • src/HoldingManager.sol
  • src/Holding.sol
  • src/interfaces/core/IHoldingManager.sol
↓ Expand ↓
Out-of-Scope:
Remediation Commit ID:
Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysisRisk levelRemediation
Loss of liquidation bonus due to roundingCriticalSolved - 09/16/2024
Loss of protocol fee in HoldingManager::_withdraw()HighSolved - 09/03/2024
Loss of protocol fee in LiquidationManagerHighSolved - 09/16/2024
Collateral miscalculations in _getCollateralForJUsdMediumSolved - 09/16/2024
Flawed Uniswap deadlineMediumSolved - 09/03/2024
Rounding issue in StrategyBase::_burnLowSolved - 09/11/2024
Re-org attack against ReceiptTokenFactoryLowSolved - 09/03/2024
Holding::genericCall() should allow sending fundsInformationalSolved - 09/11/2024
Duplicated code in HoldingManager::_withdraw()InformationalSolved - 09/03/2024

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2025. All rights reserved.