Audit dates:
-
Dolomite Margin is a composable margin trading and lending protocol, forked from dYdX Solo, running on Arbitrum One L2.
In the past, DEX margin trading has limited you to trading ETH and WBTC against stablecoins. Now with Dolomite you can margin trade many of your favorite DeFi assets against stablecoins or even other DeFi assets.
With two of the Cyfrin co-founders coming from Chainlink and a top-in-class security research team, Cyfrin was an easy choice, positioned to dive into the codebase in-depth relatively quickly.
Lead auditors 0Kage, Giovanni di Siena, Hans, and Carlos Amarante performed a 25-day audit on the Dolomite Margin which heavily relies on Chainlink Oracles, finding 15 issues, 5 medium, 6 low, and 4 informational. It was found that deprecated functions were being used to fetch the latest asset prices.
Here you can read the full Dolomite security report.
The Dolomite codebase consists of three layers:
Dolomite is designed to embody the ethos of DeFi, utilizing an immutable base layer that can only change certain configuration parameters as well as retaining much-needed modularity to adapt to new environments, trends, and paradigms as DeFi continues to evolve.
This modularity allows for a clear upgrade path that preserves the core behavior of Dolomite while being able to introduce new features that don't conflict with previously deployed modules.
With 2 of our co-founders coming from Chainlink, Cyfrin was well-positioned to dive into the codebase in-depth relatively quickly. Dolomite Margin relies heavily on Chainlink Oracles, but it was found that deprecated functions were being used to fetch the latest asset prices.
As always, Cyfrin focused on maintaining extensive communication with the Dolomite team throughout the process, to address, clarify and answer higher-level questions and concerns, beyond the documentation itself.
Thanks to the in-depth DeFi and economics experience of our security research team, Cyfrin was able to review all actions driving state changes in the Dolomite Margin, including deposit, withdraw, transfer, buy, sell, call, liquidate, and vaporise.
Given Dolomite’s vision of becoming a base layer for trading a wide range of tokens, the lack of systemic risk controls to hedge potential insolvency risks, particularly during black-swan liquidity freeze events, was important. We recommended additional risk controls to better handle contagion events.
Our audit further highlighted a potential insolvency risk stemming from the protocol admin’s unintentional withdrawal of excess tokens.
Additionally, there was a distinct concern regarding the protocol admin’s capacity to withdraw unsupported tokens with double entry points, which could lead to significant imbalances in Dolomite’s balances.
Cyfrin is on a mission to create a safer Web3 industry.
Our security review of Dolomite deepened our team’s knowledge of financial modular systems, Arbitrum infrastructure, and Chainlink Oracles.
Additionally, our extensive communication with the team proved fruitful in helping uncover vulnerabilities and understand the codebase faster.
-- Note: Cyfrin did not audit the Dolomite contracts hacked in March 2024. That attack happened to Dolomite contracts deployed in 2019 on Ethereum Mainnet, whereas Cyfrin audited the Dolomite Margin contracts in 2023 deployed on Arbitrum One.
Cyfrin has performed a thorough security review of the codebase in scope as of the date specified, which should not be construed as an endorsement of the protocol. Despite our comprehensive review, vulnerabilities may still exist, and we encourage users to conduct their own research before engaging.
