Over the summer, Arbitrary Execution conducted a smart contract security assessment of the Premia V3 protocol, and is excited to publish our findings after the conclusion of the fix review. The full report is located on our publications repo.
Smart Contract Audit Summary & Scope
Four Arbitrary Execution Web3 security researchers conducted this review over a 7-week period, from May 22, 2023 to July 7, 2022. The Solidity files in scope for this smart contract audit consisted of a subset of the contract files in the contracts directory. Notably, contracts in the orderbook, staking, utils, layerZero, and vendors sub-directories were not included in the scope of the audit.
The smart contract security assessment resulted in findings ranging in severity from critical to note (informational). A critical finding in the way rewards are paid to users acting as Authorized Agents for position owners allows an arbitrary user to steal all the tokens held within any option Pool. This code pattern was repeated in three locations, creating three different avenues for attackers to exploit the vulnerability.
Two high severity findings impacted the rebate claiming process for referrals and the use of Time-Weighted Average Price (TWAP) metrics as a security mechanism on the Arbitrum network. The medium and low severity findings had a range of impacts on protocol functionality, including token price calculation, referral rebates, Vault updates, and Pool maturity date calculations. The note severity findings contained observations regarding code hygiene, token ID generation, and erroneous checks.
Smart Contract Audit Fix Review
The Premia team has fixed or acknowledged all major issues identified in the smart contract audit service engagement. Over the course of the engagement, the Premia team made a number of updates, including some bug fixes, to their protocol. As part of the fix review, the AE team also reviewed the pull requests containing those changes. These pull requests, along with AE's evaluation of each fix, are also included in the full report.
AE Does Audits and Retainers
AE publishes audit reports to our publication report with permission. To see our full list of public reports, and other great resources check it out on Github. Interested in our smart contract audit services? Contact us now to learn how we can help protect your protocol.