Summary
Our review focuses exclusively on code security issues introduced by the changes against the forked codebase. The review does not cover any economic risks. Any errors made by privileged users of the system, including those due to misunderstanding the intricacies and caveats of the forked code base, are out of scope.
The most critical subjects covered in our audit are asset solvency, functional correctness, and access control. Security regarding asset solvency is high.
In the latest version of the codebase:
- Functional correctness has been improved since Incorrect Bar Mechanism in Median and Missing Decimal Upscaling in TRXJoin were resolved.
- Access control has been improved since Access to DSPauseProxy Is Not Restricted to DSPause and GovActionsProxy Will Lose Control Over DSPause if It Changes Delay to Nonzero were resolved.
- In addition, Denial of Service in Median Due to Revert on Invalid Price was partially corrected and the risk of Governance Delay is Currently Disabled was accepted. Hence active monitoring is required to ensure the oracle and governance work correctly.
The general subjects covered are event handling, specifications, and precision of arithmetic operations, which are further improvable, see Events Are Improvable, Incorrect Specifications, and Loss of Precision in Price Calculation Due to Scaling Logic.
In summary, we find that the codebase provides a satisfactory level of security.
Continuing to allocate sufficient time for more extensive internal QA would further increase the security level of the codebase.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About USDD V2 Smart Contracts
Decentralized USD implements USDD V2, a fork of the MakerDAO Protocol (now Sky) on the Tronblockchain. It enables users to mint USDD stablecoin using various collaterals.