Runtime Verification Audits Hatom Lending Protocol

Posted on November 1st, 2022 by Runtime Verification
Posted in Audits

Runtime Verification Audits Hatom Lending Protocol

Runtime Verification is pleased to announce the Hatom smart contract audit completion. Hatom is a decentralized lending protocol built on the MultiversX Blockchain. It is a complete money market ecosystem that allows users to lend, borrow and stake their crypto assets at competitive interest rates.

Audit scope

With the Hatom protocol, users can lend or borrow crypto assets in the MultiversX ecosystem. Lenders can deposit tokens into the lending pool and gain corresponding HTokens, which accrue interest from the asset borrowers. Likewise, borrowers are able to borrow in an over-collateralized manner.

The protocol allows for governance participation through its native Hatom token, as well as providing token holders the ability to stake their Hatom tokens to earn a share of the generated income.

The audit scope included the entirety of the protocol’s on chain libraries and smart contracts. In the protocol, smart contracts are grouped into modules, and the scope of the audit included modules responsible for the following operations:

  • Admin module: The admin module implements the functionality for the admin role of the smart contracts.
  • Controller module: The controller module validates permitted user actions and disallows actions if they do not conform to specific risk parameters.
  • Governance module: The governance module handles proposing, voting, and executing proposals.
  • Interest rate module: The interest rate module calculates the interest rate, which depends on the current utilization rate of a given market.
  • Money market module: The money market module handles borrow, lend, repay and liquidate functionality.
  • Oracle module: The oracle module fetches the price of a given asset from different sources.
  • Staking module: The staking module distributes staking rewards to the Hatom token stakers.

The audit scope is limited to the Rust source code of the on-chain modules and smart contracts and excludes any deployment and upgrade scripts, off-chain codebase, and client-side portions of the codebase. A detailed list of all the contracts, libraries and interfaces audited can be found in the report.

Methodology

Runtime Verification conducted a manual code review for a period of 8 weeks and delivered a detailed report on October 19th, 2022.

The first step of the audit process consisted of gaining a better understanding of the protocol’s use cases, as well as the business model of the Hatom protocol based on a set of inputs and documentation provided by the Hatom team. In this step, RV auditors took special care to analyze the interactions between endpoints to ensure that all the use cases are covered by the end points of the protocol.

In the second step, the functional correctness of each endpoint was reviewed against the public documentation and the white paper. This step focused on rounding error analysis and checking that the interest rate and staking rewards were computed correctly.

Then, the critical properties of each module were identified and verified to hold in the protocol. During this step, Runtime Verification and the Hatom team worked to implement upgrades to the oracle module to prevent the protocol from experiencing a price manipulation attack.

Finally, the protocol was reviewed against known security vulnerabilities for similar protocols to ensure that it would not be at risk for such attacks.

Results

The audit identified and highlighted some issues along with some informative findings. Runtime Verification worked with the Hatom team to review a number of fixes to the code and incorporate them into the smart contracts, as well as assisting with optimizations and improvements to the oracle module.

Readers interested in a more detailed and technical explanation of the findings can go over the full report in our GitHub repository.

About Hatom

Hatom Labs is a technology company based in Liechtenstein dedicated to developing the Hatom ecosystem and its associated projects. The company supports development teams in creating and sustaining meaningful initiatives within the Hatom ecosystem. It is the parent company of Hatom Protocol, the first and only complete decentralized lending protocol built on the MultiversX Blockchain.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.