Prepared by:
HALBORN
Last Updated 08/11/2025
Date of Engagement: May 12th, 2025 - May 16th, 2025
100% of all REPORTED Findings have been addressed
All findings
17
Critical
0
High
1
Medium
4
Low
7
Informational
5
THORChain engaged Halborn to conduct a security assessment of the Nami Index contracts, beginning on May 13th, 2025 and ending on May 19th, 2025. This security assessment was scoped to the smart contracts in the Nami GitHub repository. Commit hashes and further details can be found in the Sources section of this report.
Nami Index is a protocol that enables the creation and management of tokenized index vaults on top of Thorchain. It allows users to deposit a single asset and receive diversified exposure across multiple assets according to predefined weights. The protocol handles rebalancing, swapping, and accounting through a set of CosmWasm smart contracts that interact with Thorchain’s liquidity network.
All remediations described in this report were completed prior to the following commit, which serves as a consolidated snapshot of the final codebase. Although remediations may have been implemented across multiple earlier commits, this single commit includes all changes and can be used for verification purposes:
833f72787ee26d141008d2bb620cf324436a6d08
Below are the checksums for the deployed contracts:
Contract | Checksum |
nami-index-nav | 0ff970150655cb53687b6b478c6540f3deaec5ce06063ef64d3e02a519d6b56b |
nami-index-fixed | 63dd9426926704db38dc25b6c1830d202bbad7d92d8d298056cd7e0de3efd9ce |
nami-index-entry-adapter | e9927b93feeef8fd2e8dcdca4695dddd38d0a832d8e62ad2c0e9cf2826a4f61a |
nami-affiliate | 223ea20a4463696fe32b23f845e9f90ae5c83ef0175894a4b0cec114b7dd4b26 |
The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.
The purpose of this assessment is to:
Ensure that smart contract functions operate as intended
Identify potential security issues with the smart contracts
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which have been partially addressed by the Nami team. The main ones were the following:
Restrict affiliate fee injection by enforcing a whitelist and storing fee parameters on-chain.
Prevent fee evasion by accumulating fractional fees in state or using ceiling rounding methods.
Ensure deposit logic uses up-to-date amount_per_share by reordering rebalances.
Limit Callback execution to known swap contracts by verifying the sender against the allocation map.
Isolate and track the exact quote_denom amount received in the first swap before performing the second during reallocation.
Enforce automatic rebalancing after relevant events or based on elapsed time in NAV index.
Support batched allocation updates to verify that total weights sum to 1 within a single atomic call.
Use separate min_return values for multi-step swaps or validate the final output instead of individual steps.
Validate that the registered denom matches the swap contract’s base denom and is not the quote token.
Reject duplicate allocation entries by checking for existing denom values before insertion.
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:
Research into architecture, purpose, and use of the platform.
Manual code read and walk through.
Manual Assessment of use and safety for the critical Rust variables and functions in scope to identify any arithmetic related vulnerability classes.
Architecture related logical controls.
Cross contract call controls.
Scanning of Rust files for vulnerabilities(cargo audit)
Review and verification of integration tests.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
1
Medium
4
Low
7
Informational
5
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Deposit value not multiplied by token price | High | Solved - 06/24/2025 |
| Unrestricted affiliate fee injection enables fund redirection attacks | Medium | Partially Solved - 05/28/2025 |
| Fee system vulnerable to rounding-based evasion attacks | Medium | Solved - 05/27/2025 |
| Deposit uses outdated amount_per_share after prior withdraw | Medium | Solved - 05/28/2025 |
| Unit mismatches in withdraw slippage flow | Medium | Solved - 08/08/2025 |
| Callback can be triggered by unauthorized external contracts | Low | Solved - 05/27/2025 |
| Reallocation uses full quote_denom balance without isolating source | Low | Solved - 05/27/2025 |
| Missing validation that map key matches base denom in multiple contracts | Low | Solved - 05/27/2025 |
| Allocation entries can be silently overwritten | Low | Solved - 05/28/2025 |
| Reuse of min_return across independent swaps in reallocation | Low | Solved - 05/27/2025 |
| Lack of automatic rebalance enforcement may lead to stale or unbalanced portfolios | Low | Risk Accepted - 05/28/2025 |
| Weight sum cannot be verified with individual allocation updates | Low | Solved - 05/28/2025 |
| Lack of documentation across the codebase | Informational | Acknowledged - 05/29/2025 |
| Inefficient swap strategy in Deposit flow | Informational | Acknowledged - 05/28/2025 |
| Burn + Mint fee shares could be simplified via transfer | Informational | Solved - 05/27/2025 |
| Receipt token denoms are identical across different index types | Informational | Solved - 05/27/2025 |
| Inconsistent slippage semantics across withdraw and rebalance functions | Informational | Solved - 05/27/2025 |
//High
//Medium
//Medium
//Medium
//Medium
//Low
//Low
//Low
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
NAMI Protocol Rujira Index Product
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
