Summary
The most critical subjects covered in our audit are functional correctness and resistance to oracle manipulations. The contracts are functionally correct and are, in most cases, resistant against oracle manipulations under the assumptions that:
- Curve's price_oracle() cannot be manipulated to a lower value during a maximum of 2 blocks.
- Curve pool imbalances are efficiently arbitraged every block
- CryptoPoolOracle is not used for StableSwap pools.
- The underlying Curve pools experience regular usage.
However, some certain edge conditions can enable oracle manipulation attacks that are able to extract value: Oracle manipulation during withdrawal. Conic, for now, accepts this risk and tries to find an optimal solution.
In summary, we find that the codebase provides an improvable level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Conic Crypto Pool Update
Conic implements a new oracle for pricing LP tokens of Curve Crypto pools. Additionally, Conic implements a new contract for determining the share of CNC rewards that is distributed to each Conic pool.
“Conic Finance is an easy-to-use platform built for liquidity providers to easily diversify their exposure to multiple Curve pools. Any user can provide liquidity into a Conic Omnipool which allocates funds across Curve in proportion to protocol controlled pool weights.”
Conic's V2 audit by ChainSecurity was exceptional. Their thorough analysis revealed complex edge cases, providing invaluable insights that exceeded our expectations and underscored our commitment to providing the highest level of security
C-3PO