Summary
The most critical subjects covered in our audit are callback handling, nested operations, nonce processing, and slippage protection in swaps. Security regarding all aforementioned subjects is high. The unexpected slippage caused by accumulation of deviations of oracles, described in RecurringSwap Oracle deviations contributing to slippage, has been acknowledged as part of the behavior of the system, and properly documented.
All the issues raised have been satisfactorily addressed by Legend Labs, however a QuarkWallet is designed to execute arbitrary code in the context of a user's wallet through delegatecall. Script developers must understand the core mechanics of the Quark wallet before integrating with it, and Legend Labs should safeguard users against blind-signing malicious payloads by providing appropriate tooling to inspect wallet operations.
In summary, we find that the Quark codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Legend Labs Quark V2 and Quark Scripts
Legend Labs implements Quark v2, a smart contract wallet that enables accounts to run arbitrary scripts, Legend Labs also provides a suite of scripts to facilitate wallet operation and interact with DeFi systems. This audit follows our first audit of Quark, which can be found here. The new system implements an updated version of nonce control and state isolation, and introduces transient storage.