The most critical subjects covered in our audit are functional correctness, oracle security and internal accounting. Security regarding all aforementioned subjects is high.
Functional correctness is good. Issues like Execution of wrong governance change and some smaller problems have been adequately fixed.
Newly created pools allowed Endless rebalancing due to a flaw in the handling of oracle prices. This has been addresses by rebalancing rewards being activated by governance as long as this is done in a correct manner considering TVL of the pool and CNC price.
The internal accounting of some tokenomics contracts was flawed due to Reward double counting and Wrong accounting in Bonding. These issues have also been addressed.
It should be noted that the security of funds is dependent on parameters like the imbalance buffers of the Curve oracle. These must be chosen with care (considering Curve pool fees, the share of a Conic pool’s Curve LP tokens etc.) to avoid the possibility of arbitrage opportunities.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.