Skip to content

fix: resolve 14 audit findings (L-1, M-5, M-16, L-3/4/6/7/10/11/18/23/30/34/36)#52

Open
hackercf wants to merge 14 commits intomasterfrom
fix/audit-l1-inverted-assert
Open

fix: resolve 14 audit findings (L-1, M-5, M-16, L-3/4/6/7/10/11/18/23/30/34/36)#52
hackercf wants to merge 14 commits intomasterfrom
fix/audit-l1-inverted-assert

Conversation

@hackercf
Copy link
Contributor

@hackercf hackercf commented Mar 18, 2026
edited
Loading

Summary

Resolves 14 audit findings from the 2026-03-10 security audit across 6 contract files.

MEDIUM

  • M-5: Widen post-liquidation health buffer from 0.5% to 2.0% for multi-collateral positions
  • M-16: Add upper bounds on IR slope and base parameters to prevent overflow bricking

LOW

  • L-1: Replace inverted assert with explicit conditional in socialize-bad-debt
  • L-3: Use safe-sub for denominator in calculate-repayment-info
  • L-4/L-18: Absorb rounding dust in three-way interest split (borrower + liquidator)
  • L-6: Eliminate double division precision loss in get-rt-by-block
  • L-7: Cap taylor-6 input at 2x to prevent series divergence
  • L-10: Use safe-sub for slash subtraction in staking
  • L-11: Replace unwrap-panic with proper error handling in withdrawal-caps
  • L-23: Safe subtraction in withdrawal cap decay calculation
  • L-30: Add authorization check on claim-rewards (prevent third-party claims)
  • L-34: Fix compounding rounding bias in taylor series multiplication
  • L-36: Require 6-block time-lock between borrowing and liquidation

Files changed

  • contracts/liquidator-v1.clar — M-5, L-1, L-3, L-18, L-36
  • contracts/modules/linear-kinked-ir-v1.clar — M-16, L-6, L-7, L-34
  • contracts/modules/withdrawal-caps-v1.clar — L-11, L-23
  • contracts/borrower-v1.clar — L-4
  • contracts/staking-v1.clar — L-10
  • contracts/lp-incentives-v2.clar — L-30

Test plan

  • clarinet check passes (36 contracts)
  • npm test passes (211 tests, 15 suites)
  • L-1 reviewed by 3 independent agents (code-reviewer, silent-failure-hunter, CodeRabbit)

@hackercf
fix: replace inverted assert with explicit conditional in socialize-b…
8700ae8 
…ad-debt (L-1)

The old `asserts!` pattern abused the error branch to execute the
slash-total-staked-lp-tokens call. Replace with an explicit `if`/`try!`
conditional for clarity and proper error propagation.
@hackercf hackercf changed the title fix: replace inverted assert in socialize-bad-debt (L-1) fix: resolve 14 audit findings (L-1, M-5, M-16, L-3/4/6/7/10/11/18/23/30/34/36) Mar 18, 2026
hackercf added 13 commits March 25, 2026 17:00
@hackercf
fix: use safe-sub for denominator in calculate-repayment-info (L-3)
89117d5 
Prevents potential underflow when the liquidation discount times
collateral LTV exceeds the scaling factor.
@hackercf
fix: absorb rounding dust in borrower interest split (L-4)
293779b 
Compute staked-part as the remainder (interest - lp - protocol) instead
of a third independent division, so rounding dust doesn't leak.
@hackercf
fix: eliminate double division precision loss in get-rt-by-block (L-6)
0d535e7 
The old formula divided by one-12 twice, losing precision. Simplified to
a single division by seconds-in-year since rate is already 12-fixed.
@hackercf
fix: cap taylor-6 input at 2x to prevent series divergence (L-7)
eb30da8 
The 6th-degree Taylor expansion of e^x diverges for large inputs.
Cap rt at MAX-TAYLOR-INPUT (2x in 12-fixed) and return an explicit
error instead of silently producing wrong results.
@hackercf
fix: use safe-sub for slash subtraction in staking (L-10)
b593dae 
Prevents potential underflow when slashing staked LP tokens if
rounding causes active-staked-lp-tokens-to-slash to exceed the total.
@hackercf
fix: replace unwrap-panic with proper error handling in withdrawal-ca…
a16d132 
…ps (L-11)

get-time-now now returns (response uint uint) with ERR-BLOCK-INFO
instead of panicking. All callers updated to propagate via try!.
@hackercf
fix: absorb rounding dust in liquidator interest split (L-18)
628d57a 
Compute staked-part as remainder (interest - lp - protocol) in both
execute-liquidation and socialize-bad-debt paths, matching the L-4
fix in borrower-v1.
@hackercf
fix: safe subtraction in withdrawal cap decay calculation (L-23)
6614229 
Guard against underflow when time-now <= last-updated-at by returning
elapsed=0 instead of subtracting.
@hackercf
fix: add authorization check on claim-rewards (L-30)
97f1b0d 
Prevent third-party callers from claiming rewards on behalf of another
user. Only the user themselves can claim (or caller == user when
on-behalf-of is none).
@hackercf
fix: remove compounding rounding bias in taylor series mul (L-34)
b01a853 
The half-up rounding in mul() compounds through 6 taylor terms,
systematically inflating the result. Switch to truncation to match
standard fixed-point convention.
@hackercf
fix: require 6-block time-lock between borrowing and liquidation (L-36)
237a4aa 
Prevent same-block borrow-then-liquidate attacks by enforcing a minimum
6-block gap (~1 minute) between a user's borrow and any liquidation
attempt on their position.
@hackercf
fix: widen post-liquidation health buffer from 0.5% to 2.0% (M-5)
345584c 
The 0.5% buffer was too tight for multi-collateral positions where
rounding across multiple collateral types could push the post-liquidation
health ratio above the threshold, causing the assert to revert.
@hackercf
fix: add upper bounds on IR slope and base parameters (M-16)
4f9d422 
Cap ir-slope-1, ir-slope-2, and base-ir at MAX-IR-PARAM to prevent
governance from setting values that would cause arithmetic overflow
in the interest rate calculation, bricking accrual.
@hackercf hackercf force-pushed the fix/audit-l1-inverted-assert branch from b76b776 to 4f9d422 Compare March 25, 2026 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hackercf