Nov 4, 2023
—
Nov 11, 2023
DeFi
Oracles
Arbitrum
Dolomite Margin is a composable margin trading and lending protocol, forked from dYdX Solo, running on Arbitrum One L2.
With two of the Cyfrin co-founders coming from Chainlink and a top-in-class security research team, Cyfrin was an easy choice, positioned to dive into the codebase in-depth relatively quickly.
Summary
TVL
nSLOC
Bugs found
—
Corey Caplan, Dolomite (Chainlink BUILD Program)
Overview
In the past, DEX margin trading has limited users to trading ETH and WBTC against stablecoins. Now with Dolomite, it's possible to margin trade popular DeFi assets against stablecoins or even other DeFi assets.
Lead auditors 0Kage, Giovanni di Siena, Hans, and Carlos Amarante performed a 25-day audit on the Dolomite Margin which heavily relies on Chainlink Oracles, finding 15 issues, 5 medium, 6 low, and 4 informational.
It was found that deprecated functions were being used to fetch the latest asset prices.
Here you can read the full Dolomite security report.
Findings
Medium Severity
Low Severity
Other
High-level tech break-down
The Dolomite codebase consists of three layers:
Core layer: derived from the dY/dX solo margin protocol, proved robust during the audit.
Implementation layer: contains libraries that call functions from the core layer, categorized by underlying actions such as admin actions, trading, deposit, withdrawal, borrowing, liquidation, etc. The main contract, Dolomite Margin, utilizes the state defined in Storage and the implementation libraries to allow users to define generic operations.
Proxy layer: not proxies in the real sense we’re used to. Instead, it contains proxies for liquidation accounts as well as opening borrower positions and making deposits.
Dolomite is designed to embody the ethos of DeFi, utilizing an immutable base layer that can only change certain configuration parameters as well as retaining much-needed modularity to adapt to new environments, trends, and paradigms as DeFi continues to evolve.
This modularity allows for a clear upgrade path that preserves the core behavior of Dolomite while being able to introduce new features that don't conflict with previously deployed modules.
Best in class Chainlink knowledge
With 2 of our co-founders coming from Chainlink, Cyfrin was well-positioned to dive into the codebase in-depth relatively quickly. Dolomite Margin relies heavily on Chainlink Oracles, but it was found that deprecated functions were being used to fetch the latest asset prices.
As always, Cyfrin focused on maintaining extensive communication with the Dolomite team throughout the process, to address, clarify and answer higher-level questions and concerns, beyond the documentation itself.
Thanks to the in-depth DeFi and economics experience of our security research team, Cyfrin was able to review all actions driving state changes in the Dolomite Margin, including deposit, withdraw, transfer, buy, sell, call, liquidate, and vaporise.
Our Auditing process
Given Dolomite’s vision of becoming a base layer for trading a wide range of tokens, the lack of systemic risk controls to hedge potential insolvency risks, particularly during black-swan liquidity freeze events, was important. We recommended additional risk controls to better handle contagion events.
Our audit further highlighted a potential insolvency risk stemming from the protocol admin’s unintentional withdrawal of excess tokens.
Additionally, there was a distinct concern regarding the protocol admin’s capacity to withdraw unsupported tokens with double entry points, which could lead to significant imbalances in Dolomite’s balances.
Security Researchers
Lead Researchers
Days
Conclusion
Cyfrin is on a mission to create a safer Web3 industry. Our security review of Dolomite deepened our team’s knowledge of financial modular systems, Arbitrum infrastructure, and Chainlink Oracles. Additionally, our extensive communication with the team proved fruitful in helping uncover vulnerabilities and understand the codebase faster.