PerpDex - K-BIT


Prepared by:

Halborn Logo

HALBORN

Last Updated 11/26/2024

Date of Engagement: October 3rd, 2024 - October 15th, 2024

Summary

97% of all REPORTED Findings have been addressed

All findings

33

Critical

0

High

1

Medium

10

Low

8

Informational

14


1. Introduction

K-BIT engaged our security analysis team to conduct a comprehensive security audit of their smart contract ecosystem. The primary aim was to meticulously assess the security architecture of the smart contracts to pinpoint vulnerabilities, evaluate existing security protocols, and offer actionable insights to bolster security and operational efficacy of their smart contract framework. Our assessment was strictly confined to the smart contracts provided, ensuring a focused and exhaustive analysis of their security features.

2. Assessment Summary

Our engagement with K-BIT spanned a 1-week period, during which we dedicated one full-time security engineer equipped with extensive experience in blockchain security, advanced penetration testing capabilities, and profound knowledge of various blockchain protocols. The objectives of this assessment were to:

- Verify the correct functionality of smart contract operations.

- Identify potential security vulnerabilities within the smart contracts.

- Provide recommendations to enhance the security and efficiency of the smart contracts.

3. SCOPE

Files and Repository
(a) Repository: audit
(b) Assessed Commit ID: a7b2da3
(c) Items in scope:
  • contracts/lp.sol
  • contracts/qaPrice.sol
  • contracts/fee.sol
↓ Expand ↓
Out-of-Scope: Third party dependencies and economic attacks.
Remediation Commit ID:
  • da83bf8
  • 4ce3a7e
Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysisRisk levelRemediation
Incorrect fee calculation during Pyth oracle interactionsHighSolved - 11/01/2024
Position size validation misplacedMediumSolved - 11/01/2024
Inadequate position status and leverage checksMediumSolved - 11/01/2024
Unrestricted token address updateMediumSolved - 11/11/2024
Signature vulnerability due to lack of chain-specific and contract-specific dataMediumSolved - 11/01/2024
Vulnerability in closePosition due to insecure user signature verificationMediumSolved - 11/01/2024
Signature replay vulnerability in setFeePercent and registerReferrerMediumRisk Accepted - 11/01/2024
Protocol does not account for USDT transfer feesMediumSolved - 11/01/2024
Incorrect liquidation price calculation due to leverage roundingMediumSolved - 11/01/2024
Inconsistent update timestamp valueMediumSolved - 11/01/2024
Inconsistent mapping during price submissionMediumSolved - 11/01/2024
Incorrect loss check during close position logicLowSolved - 11/01/2024
Incorrect timestamp comparisonLowSolved - 11/01/2024
Arbitrage opportunities between different data feeds in trading actionsLowRisk Accepted - 11/01/2024
Duplicate admin entries allowedLowNot Applicable
Single-step ownership transferLowRisk Accepted - 11/01/2024
Inconsistent price timestamp validation across oracles and outdated price checksLowRisk Accepted - 11/01/2024
Merge operations could be automated during position opening for integrityLowSolved - 11/01/2024
Missing checks on submitted priceLowSolved - 11/01/2024
Insufficient test coverage with mocked oracle interactions and no chain forkingInformationalSolved - 11/01/2024
Unutilized pause functionality and single-role controlInformationalNot Applicable
Lack of EIP-1271 support for non-EOA addressesInformationalAcknowledged - 11/01/2024
Function not callable when pausedInformationalSolved - 11/01/2024
Code duplication in checkPriceDataOrder functionInformationalNot Solved - 11/01/2024
Inefficient gas usage in Pyth price feed updatesInformationalAcknowledged - 11/01/2024
Redundant check call when fetching previous pricesInformationalAcknowledged - 11/01/2024
Underflow in liquidation priceInformationalSolved - 11/01/2024
Redundant margin checkInformationalSolved - 11/01/2024
Late validation checks in `openLimitOrder` functionInformationalSolved - 11/01/2024
Incorrect message for pending limit order statusInformationalNot Applicable
Inefficient removal of positionInformationalSolved - 11/01/2024
Redundant checkInformationalSolved - 11/01/2024
Inconsistent profit margin comparisonInformationalSolved - 11/01/2024

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2025. All rights reserved.