Summary
The most critical subjects covered in our audit are functional correctness, integration with Arrakis Modular and external systems, asset solvency and precision of arithmetic operations. The general subjects covered are specification, gas efficiency, and trustworthiness.
The most significant findings are:
• Array manipulation during iteration
• Bad rounding
• Manager fee collected multiple times
• Token allowance abuse during module change
The first three items have been corrected through code corrections while the risk for the last one has been accepted. Note that other lower severity issues have been partially corrected or acknowledged.
It is also worth noting that the project is subject to certain roles that are not fully trusted and can, theoretically, extract small parts of the liquidity in discrete timer intervals. See Possibilities of executors to drain funds for details.
In summary, we find that the codebase provides a good level of security, although it depends on the correct usage by trusted accounts.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Arrakis Uniswap V4 Module
Arrakis Finance implements modules integrating with Uniswap V4 for Arrakis Modular. That allows managers to manage a vault's liquidity on Uniswap V4.
"Arrakis is web3's trustless market making infrastructure protocol that enables running sophisticated algorithmic strategies on Uniswap V3. Liquidity providers can utilize Arrakis Vaults to have their liquidity be managed in an automated, capital efficient, non-custodial and transparent manner."