Summary
The most critical subjects covered in our review are functional correctness, integration of the signature scheme, and access control. All uncovered issues have been either fixed or acknowledged. Notable findings included: .. [Security regarding all the aforementioned subjects is high.]
- Update using stale pokedata
- Assessement of Finalized after authed action
- unreset oppokedata after unsuccessful challenge
The general subjects covered are code complexity, integration by external systems and the quality of the specification / documentation. The correctness of the signature scheme itself was not in scope of this review.
In summary, we find that the codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Chronicle – Scribe (MakerDAO)
Chronicle implements Scribe, a Schnorr multi-signature based price oracle. An optimistic extension allows price updates where the signature is only evaluated on-chain if challenged. Reading the pricefeed on-chain is restricted to whitelisted addresses only.
Chronicle: “Verifiable date for a decentralized future – Powering MakerDAO. Scalable | Cost-Efficient | Accessible | Transparent | Oracles – https://chroniclelabs.org/”