Summary
The most critical subjects covered in our audit are access control, asset solvency, functional correctness, and the impact of the change on the existing system. An issue with functional correctness was identified, where Splitter.cage() did not lock the Splitter completely (see Splitter.cage() does not lock the Splitter). After the intermediate report, this issue has been resolved.
The general subjects covered are specifications correctness, optimizations, and soundness of the deployment and initialization scripts. The specification of babylonian.sqrt() was inaccurate (see Incorrect specification). The checks in the initialization scripts could be further enhanced (see Missing check for bump and Missing check of reward token on farm contract). All the issues have been resolved and security regarding all the aforementioned subjects is high.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About MakerDAO DSS Flappers
MakerDAO has implemented new contracts to process the surplus of the Dai Stablecoin System. A new Splitter contract divides the surplus between a burning engine (Flapper) and a reward farm. Flapper contracts interact with UniswapV2, exchanging DAI for Gem tokens, with two variants: FlapperUniV2SwapOnly fully converts DAI to Gem, while FlapperUniV2 adds liquidity to the pool.
—
“The Maker Protocol, also known as the Multi-Collateral Dai (MCD) system, allows users to generate Dai by leveraging collateral assets approved by “Maker Governance.” Maker Governance is the community organized and operated process of managing the various aspects of the Maker Protocol. Dai is a decentralized, unbiased, collateral-backed cryptocurrency soft-pegged to the US Dollar. Resistant to hyperinflation due to its low volatility, Dai offers economic freedom and opportunity to anyone, anywhere.”