The most critical subjects covered in our audit are the valuation of the portfolios and their tranches, the fee and interest calculations, the interactions of the lenders and the borrowers with the system and the access control. For the tranche valuation, we uncovered a Waterfall miscalculation issue. Under certain circumstances, the value of riskier tranches could be absorbed by higher tranches. The issue was addressed in the second iteration of the report. Attack vectors initiated by the portfolio managers were considered out of scope. In the current version, all the uncovered issues have been either addressed or acknowledged.
The general subjects covered are complexity, deployment, testing and documentation. We believe that all the other aforementioned areas offer a high level of security. The documentation is comprehensive and unit testing is extensive. However, we need to emphasize that the complexity of the codebase is really high and the system can be in many different states which might require different handling, and thus our confidence in that regard is limited.
Moreover, we would like to emphasize that portfolio managers are highly trusted and can introduce security risks to the protocol. The security of Carbon instances therefore ultimately depends on external factors.
In summary, we find that the codebase with the latest version greatly improved on the initial version. An iterative audit of many iterations adds risk as reviews of multiple small changes can introduce novel interactions with existing code which are easy to miss. Overall, we find that the codebase in its current state provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.