Prepared by:
HALBORN
Last Updated 09/20/2024
Date of Engagement: August 19th, 2024 - September 20th, 2024
Summary
100% of all REPORTED Findings have been addressed
All findings
9
Critical
1
High
2
Medium
2
Low
2
Informational
2
Table of Contents
1. Introduction
The Jigsaw Finance team engaged Halborn to conduct a security assessment on their stablecoin project, beginning on August 19, 2024, and ending on September 20, 2024. The security assessment was scoped to cover the entire jigsaw-protocol-v1 GitHub repository, located at https://github.com/jigsaw-finance/jigsaw-protocol-v1, commit 96fb13e5b6db3f6d186743cf61d34c852ff13d70.
2. Assessment Summary
The team at Halborn was provided five weeks for the engagement and assigned one full-time security engineer to assess the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.
The purpose of this assessment is to achieve the following:
Ensure that the system operates as intended.
Identify potential security issues.
Identify lack of best practices within the codebase.
Identify systematic risks that may pose a threat in future releases.
In summary, Halborn identified some security issues that were successfully addressed by the Jigsaw Finance team.
3. SCOPE
- src/HoldingManager.sol
- src/Holding.sol
- src/interfaces/core/IHoldingManager.sol
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/16/commits/868c1ebae63b11e06ce4d45546df2a88d7d22a47
- 34d09fc
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/17/commits/7f39f8289a5a06795f9d9b78dd5cfde299216210
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/16/commits/f5aa3240e728d3666b27d72bdba728579b94c74e
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/12/commits/91aaeda9e32f4fcf822b95318a90f9519209b0f6
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/14/commits/9d83072ce50826279b09c321d24ec4f1fd4c4197
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/12/commits/d9e73b22276ad6fa5f7ed6835698b85e07697bfb
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/14/commits/3be3aa040fc66bfd9a7b442045f2aca7fbebdb2e
- https://github.com/jigsaw-finance/jigsaw-protocol-v1/pull/12/commits/211b28eebaa0c38bd2f1668d9b988da0cbc8177f
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Loss of liquidation bonus due to rounding | Critical | Solved - 09/16/2024 |
| Loss of protocol fee in HoldingManager::_withdraw() | High | Solved - 09/03/2024 |
| Loss of protocol fee in LiquidationManager | High | Solved - 09/16/2024 |
| Collateral miscalculations in _getCollateralForJUsd | Medium | Solved - 09/16/2024 |
| Flawed Uniswap deadline | Medium | Solved - 09/03/2024 |
| Rounding issue in StrategyBase::_burn | Low | Solved - 09/11/2024 |
| Re-org attack against ReceiptTokenFactory | Low | Solved - 09/03/2024 |
| Holding::genericCall() should allow sending funds | Informational | Solved - 09/11/2024 |
| Duplicated code in HoldingManager::_withdraw() | Informational | Solved - 09/03/2024 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed