Summary
The most critical subjects covered in our audit are the system's solvency, the precision and correctness of arithmetic operations and oracle manipulation resistance. We found that the security of the former two topics is high. Oracle manipulation resistance is high, especially since the BAMM does not rely on an oracle as a traditional Lending protocol would, however, we emphasize the costs and risks of oracle manipulation in Oracle manipulation on FIFO L2s.
Other general subjects covered are rounding direction correctness and denial of service. We found that the rounding direction has generally been implemented correctly and only minor denial of service patterns were found and documented in Denial of Service against liquidations and Denial of Service against redeeming and executing actions.
Frax Finance has been very responsive to our findings and has addressed most of the issues we reported. The remaining issues are minor and do not pose a significant problem.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Frax BAMM Smart Contracts
Frax Finance implements BAMM, a Borrow AMM, that wraps Frax swap LP tokens and allows users to borrow the two underlying assets of the pair.
"The Frax ecosystem is a self-sufficient DeFi economy utilizing stablecoins as currency."