The most critical subjects covered in our review are asset solvency and functional correctness. Security regarding the aforementioned subjects is improvable. The most important issues uncovered are (1) asset solvency is low due to wrongly maintained internal accounting (see Wrong Accounting upon Margin Account Top up) and (2) functional correctness is low due to the value the tranches not including unrealized LP fees (see Accrued Interest Is Not Accounted in trancheValue).
The first issue has been fixed by a change of specification. Xena Finance has decided they only want to use a single tranche. The issue remains valid if Xena Finance decides to add more tranches. This leaves the codebase complex, while the functionality that will be used is simpler. The second issue related to accrued interest remains unfixed.
Additionally, there are a number of issues that Xena Finance decided not to fix, which could cause problems in the edge cases outlined in those issues.
The general subjects covered are documentation and specification. Security regarding all the aforementioned subjects is improvable. Documentation and specification are not sufficient due to the overall lack of documentation and unclear specification, see Missing Documentation.
In summary, we find that the codebase currently provides an improvable level of security.
Users of the system should check the Notes section for important information to consider before using the system.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.