Reach out for an audit or to learn more about Macro
or Message on Telegram

Polynomial A-1

Security Audit

June 17, 2024

Version 1.0.0

Presented by 0xMacro

Table of Contents

Introduction

This document includes the results of the security audit for Polynomial's smart contract code as found in the section titled ‘Source Code’. The security audit was performed by the Macro security team on June 10th to June 12th 2024.

The purpose of this audit is to review the source code of certain Polynomial Solidity contracts, and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.

Disclaimer: While Macro’s review is comprehensive and has surfaced some changes that should be made to the source code, this audit should not solely be relied upon for security, as no single audit is guaranteed to catch all possible bugs.

Overall Assessment

The following is an aggregation of issues found by the Macro Audit team:

Severity Count Acknowledged Won't Do Addressed
Medium 2 - - 2
Low 2 - - 2
Code Quality 1 - - 1

Polynomial was quick to respond to these issues.

Specification

Our understanding of the specification was based on the following sources:

Trust Model, Assumptions, and Accepted Risks (TMAAR)

Similar to Syntheix V3, this protocol is upgradeable and has permissioned setters that can effect all aspects of the protocol which can effect stakers and market participants. Users of the protocol must trust that the owners and privileged roles will act in the best interest of the protocol and it’s users. A notable change from the Synthetix V3 architecture is the current state does not have decentralized governance, and the main owner will be set as a multisig, controlled by trusted members of the Polynomial protocol.

Source Code

The following source code was reviewed during the audit:

Specifically, we audited the following contracts within this repository.

Contract SHA256
packages/markets/perps-market/cannonfile.toml

51ece454bb86bb8fa71acd7bd5ece42b8b0d221c98a8e54ba2966a50092c1e39

packages/markets/spot-market/cannonfile.toml

bc3b698a3b4dc4d25010138122087771ef9e01e0689d87591216615cbb77d120

packages/protocol/oracle-manager/cannonfile.toml

ce3da25db61a853de4d750382744f70a1cc7928f1142fbc0723894ffddd69292

packages/protocol/synthetix/cannonfile.toml

95f01d14a925d7afc8d455c3eb9f83b1a77da77c039ccf00019663f72c5f6428

polynomial-mainnet/cannonfile.toml

1a1dc45842ab1f149221cdcf5dccfdc3f97e2424e6b867faa55e977ccdcf5254

polynomial-mainnet/tomls/collaterals/susdc.toml

a1cc0b70aa4c40dff59e61d9e94b35897eee2955c61970f966f43a2dd4657d66

polynomial-mainnet/tomls/core.toml

0eafa4e951bd9e0e2528860c51abc6380c7a2853e6b492a0d2baf06a13fc02ce

polynomial-mainnet/tomls/markets/common/bigcap-settings.toml

af75cadf590b64ca0a23255d8a3b464e4402d50bf1d41dc3f49bd61aa5cca060

polynomial-mainnet/tomls/markets/common/settlement-settings.toml

5adb9bc16181b7d254dd1c8f4c4096b48b6394051b9c56b29bb60541251066cf

polynomial-mainnet/tomls/markets/perps-factory.toml

7ae9363fed441ac94b796f4ee5917cecdd71fec16fe892bd878318a667cafe0f

polynomial-mainnet/tomls/markets/spot-factory.toml

799770d579066ece2201ea65d50c0ecd41935a42f61547dc996903386a84effc

polynomial-mainnet/tomls/oracles/btc.toml

3908fd17b352f2ff58fe570ca2120130266fa1599b9667f5fb446f3fb62c5d75

polynomial-mainnet/tomls/oracles/eth.toml

543f91b49b86feeab6136c7eb55ed1f5cfd6cabc7777fab1144e1ccc41ab5b24

polynomial-mainnet/tomls/oracles/perps-keeper-cost.toml

734c92c2a9bd82933c15d044e5e94f62cffae4f6d205c0c78bbad79f77ad5a3f

polynomial-mainnet/tomls/oracles/pyth-btc.toml

da11d5255d91dab97c778753e7dc0438788269cc990ec51949746322a17d131a

polynomial-mainnet/tomls/oracles/pyth-eth.toml

8ab81a3f9b3a8fd455eeb24c2579c8f314a62676d95a031f66917cb1f64ff10d

polynomial-mainnet/tomls/permissions.toml

19de2a815457656732a388a3b3fb87ae68b83002261e988f5c6256114be932b5

polynomial-mainnet/tomls/permit-all-perps-perpsSystem.toml

3c9365fe5c732f42f1ba2c15747ffb8c65e6123ab55319208d39d0ccc31eb0d3

polynomial-mainnet/tomls/permit-deniers.toml

c08328e11dac0d0e6ef2f3ddaf1ab0bb997b3b21be24850767cb74568460fcae

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/collaterals/susdc.toml

0287f0fe4a16114aea80f4e14155acec3f8f4f055f917c71aa21054d186f97fe

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/btc-invokes.toml

3bf572c351443ef55555f4c4d459f5e6f5208ed6400916f76b0efb1fb621d413

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/btc.toml

1a3afa727dd073e48a1a566ccdf2e932063d13e2b51b7f97288e7fff2fa62220

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/eth-invokes.toml

83b8ac3761b9991c554b48d3e4aee8ae1dfeb552a5947eeec4e7a3ec32d29759

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/eth.toml

e5796845d129d9a70a26c12ad7164ed99180cac7db1c4b485fa20f6b9b63bf63

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/global.toml

5eed49b7f849c8b787df3973f80d103571a9da659d762d1588737382507c96a8

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/perps/referrers.toml

7ca7c37df26fb5efde89254d15a788926155adfe325261910c7556eea177463a

polynomial-mainnet/tomls/polynomial-mainnet-andromeda/spot/usdc.toml

dfba240a4d8fa9d87fb05a35252a04685b2364f6a3239a2df6f8060f070111ae

polynomial-mainnet/tomls/pools/main-pool.toml

f1964067f13d91e66d341f6140d50cc017dd03512c554a24a4c2b4ed86bf7558

polynomial-mainnet/tomls/settings.toml

d94577d516d06585b77fd4c4b538d3d4e6b8ff40a5686578c8a2b9a0c19c34a4

Note: This document contains an audit solely of the Solidity contracts listed above. Specifically, the audit pertains only to the contracts themselves, and does not pertain to any other programs or scripts, including deployment scripts.

Issue Descriptions and Recommendations

Click on an issue to jump to it, or scroll down to see them all.

Security Level Reference

We quantify issues in three parts:

  1. The high/medium/low/spec-breaking impact of the issue:
    • How bad things can get (for a vulnerability)
    • The significance of an improvement (for a code quality issue)
    • The amount of gas saved (for a gas optimization)
  2. The high/medium/low likelihood of the issue:
    • How likely is the issue to occur (for a vulnerability)
  3. The overall critical/high/medium/low severity of the issue.

This third part – the severity level – is a summary of how much consideration the client should give to fixing the issue. We assign severity according to the table of guidelines below:

Severity Description
(C-x)
Critical

We recommend the client must fix the issue, no matter what, because not fixing would mean significant funds/assets WILL be lost.

(H-x)
High

We recommend the client must address the issue, no matter what, because not fixing would be very bad, or some funds/assets will be lost, or the code’s behavior is against the provided spec.

(M-x)
Medium

We recommend the client to seriously consider fixing the issue, as the implications of not fixing the issue are severe enough to impact the project significantly, albiet not in an existential manner.

(L-x)
Low

The risk is small, unlikely, or may not relevant to the project in a meaningful way.

Whether or not the project wants to develop a fix is up to the goals and needs of the project.

(Q-x)
Code Quality

The issue identified does not pose any obvious risk, but fixing could improve overall code quality, on-chain composability, developer ergonomics, or even certain aspects of protocol design.

(I-x)
Informational

Warnings and things to keep in mind when operating the protocol. No immediate action required.

(G-x)
Gas Optimizations

The presented optimization suggestion would save an amount of gas significant enough, in our opinion, to be worth the development cost of implementing it.

Issue Details

M-1

Incorrect denier addresses set, potentially temporarily blocking the perps market

Topic
Authorization
Status
Impact
High
Likelihood
Low

In deployment of these contracts, setDeniers() is invoked in permit-deniers.toml, which allows the ability for these set addresses to effectively turn off the provided feature, in this case withdraw in the core contracts, and the perpsSystem in the perps market contract. The set deniers can do this via setFeatureFlagDenyAll() which sets flag.denyAll, which any check to ensureAccessToFeature(), for the particular feature, will then be prevented. This allows the set addresses to prevent users from interacting with the perps system, preventing actions like committing and canceling orders.

These deniers are expected to be trusted addresses that can quickly shut off functionality, which may be necessary to mitigate damage in the case of an exploit or other issues. However, in this case the addresses set are the same as those set by synthetix, rather than trusted members of the polynomial protocol. This could lead to these deniers shutting down the perps market maliciously, and also prevents the polynomial team from reacting to potential exploits.

Remediations to Consider

Change the addresses set to addresses trusted and controlled by Polynomial, to ensure this functionality will be used as intended and to benefit the protocol.

M-2

Perps values set differ from documentation

Topic
Spec
Status
Impact
Medium
Likelihood
Medium

In global.toml, values are set that will be used to configure the perps markets. However, some of these values differ from the documentation of intended values, where each of the gradient values were intended to be set to 0:

[setting.perps_low_util_gradient]
defaultValue = "0.000025"

[setting.perps_gradient_breakpoint]
defaultValue = "0.80"

[setting.perps_high_util_gradient]
defaultValue = "0.01"

Reference: global.toml#L34-L41

This can lead to unintended effects on the perps market that may have a detrimental effect for users of the protocol.

Remediations to Consider

Set these global perps values to the intended values mentioned in the spec.

L-1

Wrong package version

Topic
Versioning
Status
Impact
Low
Likelihood
Low

In Cannonfile.toml the perps market package uses version 3.318, but this should be set to 3.3.18 as that is the actual version of this package:

[setting.perps_market_package]
defaultValue = "fx-perps-market:3.318"

Reference: Cannonfile.toml#L47-L48

Remediations to Consider

Change the value to: "fx-perps-market:3.3.18"

L-2

Unnecessary inclusion of Chainlink nodes

Topic
Oracles
Status
Impact
Low
Likelihood
Low

In btc-invokes.toml and eth-invokes.toml the corresponding oracle is included:

include = ["../../oracles/btc.toml", "../../markets/common/bigcap-settings.toml"]

Reference: btc-invokes.toml#L1

However, these files sets up a chainlink oracle node for pricing either BTC or ETH, using a unset aggregator address. Chainlink currently doesn’t support the Polynomial network, so any chainlink type nodes will currently not work.

Remediations to Consider

Remove references to the chainlink oracles, btc.toml and eth.toml.

Q-1

Dependancies are not set for cannon deployment calls

Topic
Protocol Design
Status
Quality Impact
Low

Cannon allows for depends values to be set for each call to invoke. This means that a call wont execute until after all its set dependancies have. Setting proper depends values for each call will ensure that execution occurs in the order expected, which can be important in cases where values are expected to be set within the call execution and prevents interaction with contracts that are yet to be deployed. Cannon automatically will detect these dependancies, but explicitly setting them ensures they are set correctly and as expect.

Remediations to Consider

Add dependancies to the relevant deployment calls to ensure proper execution order.

Disclaimer

Macro makes no warranties, either express, implied, statutory, or otherwise, with respect to the services or deliverables provided in this report, and Macro specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, noninfringement and those arising from a course of dealing, usage or trade with respect thereto, and all such warranties are hereby excluded to the fullest extent permitted by law.

Macro will not be liable for any lost profits, business, contracts, revenue, goodwill, production, anticipated savings, loss of data, or costs of procurement of substitute goods or services or for any claim or demand by any other party. In no event will Macro be liable for consequential, incidental, special, indirect, or exemplary damages arising out of this agreement or any work statement, however caused and (to the fullest extent permitted by law) under any theory of liability (including negligence), even if Macro has been advised of the possibility of such damages.

The scope of this report and review is limited to a review of only the code presented by the Polynomial team and only the source code Macro notes as being within the scope of Macro’s review within this report. This report does not include an audit of the deployment scripts used to deploy the Solidity contracts in the repository corresponding to this audit. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. In this report you may through hypertext or other computer links, gain access to websites operated by persons other than Macro. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such websites’ owners. You agree that Macro is not responsible for the content or operation of such websites, and that Macro shall have no liability to your or any other person or entity for the use of third party websites. Macro assumes no responsibility for the use of third party software and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.