SMART CONTRACT SECURITY AUDIT FOR FORTIFI
At Blaize, we take the security of blockchain projects seriously, and our recent collaboration with FortiFi stands as a testament to our commitment. In this case study, we will delve into the comprehensive security audit we conducted for the FortiFi protocol, highlighting our rigorous process and the outcomes achieved.
FortiFi is a vault platform landscape with single-sided staking for assets like BTC.b, USDC, and more. The project utilizes unique “sub-strategies” to automatically diversify yields, optimizing profit. Users stake, and assets flow into these sub-strategies in one click, with performance fees only being applied to profits earned by the vault.
ABOUT THE PROJECT
FortiFi entrusted Blaize Security with the crucial task of auditing the security of their smart contracts. Our objective was clear: to identify and describe any potential security vulnerabilities within the FortiFi smart contracts. This report serves as a detailed account of our findings during the security audit.
The Blaize Security team received a set of smart contracts from the FortiFi team. These contracts constitute the FortiFi Vaults Ecosystem, which is designed to deposit users’ funds into a variety of underlying strategies. This system provides several layers of asset isolation within the FortiFi protocol.
Our coverage extended beyond Hardhat framework tests and scripts to ensure the utmost thoroughness, incorporating manual and exploratory rounds.
During our audit, we scrutinized the smart contract for various vulnerabilities in several stages:
1) Standard vulnerabilities checklists, including but not limited to:
- Gas limit and loops
- Transaction-ordering dependence
- Unchecked external calls
- Denial-of-Service (DoS) attacks
- Malicious libraries and injections
- Storage issues (uninitialized, unused, etc) and incorrect local variables usage
- Upgradeability issues
and others potential Solidity vulnerabilities and attack vectors;
2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections and other flow related issues;
3) Review of dependencies, integrations and 3rd parties, verified with appropriate integration tests;
4) Our own internal security checklists, additionally verified during the testing stage. The team had the first focus on verifying the correctness of oracles integration and the price feed mechanics for the vault systems – to check possibilities of front-running and price manipulations. Also, a lot of effort was put into checking the correctness of FortiFi strategies interacting with 3rd-party protocols.
Blaize team has recently carried out an audit for a protocol for StarkDeFi – discover more about it.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Our audit process encompassed manual and testing stages:
- MANUAL AUDIT STAGE
- Manual line-by-line code review by 2 security auditors with crosschecks and validation from the security lead;
- Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
- Business logic inspection;
- Protocol decomposition and components analysis with building an interaction schemes and sequence diagrams;
- Storage usage review and gas optimization review;
- Math operations and calculations analysis;
- Access control and roles structure review;
- Review of dependencies, 3rd parties, and integrations;
- Review with automated tools and static analysis;
- Code quality, documentation, and consistency review.
- TESTING STAGE
- Development of edge cases based on manual stage results;
- False positives validation;
- Integration tests for checking connections with 3rd parties;
- Manual exploratory tests over the locally deployed protocol;
- Checking the existing set of tests and performing additional unit testing;
Upon completing the audit, we delivered a comprehensive smart contract security analysis report to the FortiFi team. This report included:
- Identified risks
- Potential mitigations
- Detailed vulnerability assessments
- Recommendations for improvements
DISCOVER MORE ABOUT SMART CONTRACTS SECURITY ON BLAIZE WEBSITE.
This audit aimed to confirm the correct functionality of these contracts and ensure they adhered to a known security level. Our auditors meticulously scrutinized each line of code, cross-referencing it against a checklist of potential vulnerabilities.
They verified the business logic of the contracts, ensuring adherence to best practices, particularly in relation to gas expenditure. Any identified issues were swiftly communicated to the FortiFi team for resolution or verification. The setup and deployment scripts of the contracts were also subjected to rigorous auditing.
During the testing phase of our audit process, we reviewed the native tests prepared by the FortiFi team and developed a set of custom test scenarios. The development team provided only a handful of tests for the MASS Vaults. As a result, Blaize Security supplemented this with our own unit tests and additional scenarios to thoroughly cover the complex functionality of the FortiFi Vaults Ecosystem contracts. The comprehensive set of unit tests can be found in the Code Coverage and Test Result sections.
The issues regarding the MASS Vault complexity and strategies utilization were addressed to the FortiFi team. The FortiFi Vaults represent a complex smart contract system with multiple varying factors. The strategy management was discussed with the FortiFi team, and several suggestions for optimizing the MASS Vault were communicated.
In conclusion, the overall security of the FortiFi vaults system ranks high, with well-written and thoroughly tested contracts. While the contracts’ settings appear correct, we recommend a double-check of specific functions before deployment. Our assessment rates the overall security at 9.6 out of 10.
At Blaize, we take pride in providing comprehensive security audits to safeguard blockchain projects and ensure the integrity of smart contracts. The successful completion of the FortiFi audit stands as a testament to our commitment to excellence in blockchain security.
Take a closer look at FortiFi security report on Blaize.Security Github.