Runtime Verification audits Synonym Finance
Runtime Verification is pleased to announce Synonym Finance’s audit completion. Synonym Finance is a cross-chain lending and borrowing protocol powered by the Wormhole cross-chain technology stack and available in Ethereum, Arbitrum, and Optimism chains.
Audit Scope
Synonym Finance is a new cross-chain protocol allowing users to earn yield, borrow, repay, and withdraw from different chains using a unified interface. At the moment of launch, the protocol is available in three different chains: Ethereum, Arbitrum, and Optimism and supports USDT, USDC, wBTX, wstETH, OP and ARB.
The platform uses a Hub-Spoke model. All the protocol state is stored on the Hub chain, and a Spoke contract is deployed on each spoke chain, so that users on any chain can perform the deposit, borrow, withdraw, and repay actions through the corresponding Spoke contract. Let’s take a closer look at some of the audited contracts and their functionalities:
- The Hub, provided by all the contracts prefixed with `Hub`, stores the registered assets and users’ vaults - amounts of each asset the user has deposited and borrowed. Hub is also responsible for applying the business logic related to liquidations, interest rates, protocol variables, etc. Users can liquidate other users if the other user’s borrowed assets are worth more than their deposited assets. Pyth or Chainlink prices are used to determine the value of assets. The liquidation functionality is exclusive to the Hub. Users who wish to perform actions on the same chain as the Hub can simply call functions on the Hub.
- Spoke, through contracts prefixed with Spoke, is the point of entry for cross-chain actions, namely `depositCollateral`, `withdrawCollateral`, `borrow`, `repay`, `depositCollateralNative` and `repayNative`; users initiate an action by calling any of the `public payable` functions with their desired asset and amount, and the payload/tokens are transferred over Wormhole between Hub and Spoke according to the action initiated by the user.
- Contracts related to Hub functionalities include all the user functionalities present in the Spoke, but they also include interest-related utility functions, price-related utility functions and defining state variables.
- Contracts related to Spoke functionalities include providing plain simple delegate access to Spoke properties, defining state variables for the Spoke contract, and normalization (a process used by the protocol) related helper functions for the Spoke and Liquidation-related helper functions.
- Contracts in charge of interest rate calculations and their application to collateral owners and borrowers and other interest rate models allowing the application of a piecewise function instead of a linear function to calculate interest rates.
There are also several contracts related to tokens native to the protocol and some of their functionalities include claiming rewards, token conversion calculations and allowing users to participate in protocol pools and retrieve benefits.
The audit scope is limited to the Solidity source code of the protocol. Off-chain, auto-generated, or client-side portions of the codebase, as well as deployment and upgrade scripts, are not in the scope of this engagement. A detailed list of all the contracts, libraries and interfaces audited can be found in the report.
Methodology
Runtime Verification conducted a manual code review for a period of 7 weeks and delivered a detailed report on December 22nd, 2023.
One of the first steps in the audit process consisted of a thorough reasoning of the business logic of the protocol. During this process, our auditors identified two main contracts (Hub and Spoke) and how the majority of the other contracts in the protocol were built around them. Due to their importance and the key role they played in the protocol, making sure they worked as expected and probing the absence of any code mistakes or loopholes in the logic and its implementation was a priority in the audit process. After reviewing the two main contracts, other contracts were also reviewed following the same process and checked against a list of known security vulnerabilities and attack vectors.
When conducting audits, it’s important to focus on vectors where, if an attack occurred, the impact could mean the loss of user funds. In this case, with Synonym Finance, our auditors identified that the protocol was performing very intricate calculations on the value of total assets owned by the user and also when calculating the thresholds that will be used to control the protocol behavior such as liquidation, allowance borrow, limits, etc. Extra time was allocated to reviewing those calculations which led to findings resulting in major updates of the protocol logic and how those thresholds were calculated.
It’s important to note that even if our standard procedure is to only audit a frozen code commit; for this audit and thanks to how actively involved was the Synonym team providing all the necessary code updates, it was possible to review the new changes that made the old code obsolete to ensure the code deployed in mainnet is one closer to the one audited.
Conclusions
The audit identified and highlighted some issues along with a number of informative findings. The client addressed the findings that threatened the protocol and only a series of limited fixes were reviewed by the team due to their importance and impact on the rest of the code base. For the rest of the fixes, a best-effort review was conducted.
Users interested in a more detailed and technical explanation about the findings can go over the full report in our GitHub repository.
About Synonym Finance
Synonym is a truly cross-chain money market built on the Wormhole xChain technology stack. By power users, for power users, Synonym enables true cross-chain collateralization and flexibility that current lending incumbents don’t offer. Synonym was born from a unique DAO merger with New Order DAO, giving Synonym a network, community and resource advantage from day one. Long-term, Synonym is focused on becoming the premier venue for cross-chain lending and borrowing major L2 rollups, app-chains and L3s.
About Runtime Verification
Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.