Halborn Logo
Draft

LPETH - Tenderize


Prepared by:

Halborn Logo

HALBORN

Last Updated 07/26/2024

Date of Engagement by: June 12th, 2024 - June 28th, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

14

Critical

3

High

2

Medium

1

Low

5

Informational

3


1. Introduction

Tenderize engaged Halborn to conduct a security assessment on LpETH smart contracts beginning on 06/12/2024 and ending on 06/28/2024. The security assessment was scoped to the smart contracts provided to the Halborn team.

2. Assessment Summary

The team at Halborn dedicated 2 weeks for the engagement and assigned one full-time security engineer to evaluate the security of the smart contract.

The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

    • Ensure that smart contract functions operate as intended.

    • Identify potential security issues with the smart contracts.


3. SCOPE

Files and Repository
(a) Repository: lpeth
(b) Assessed Commit ID: bebf3fa
(c) Items in scope:
  • Registry.sol
  • utils/ERC721Receiver.sol
  • utils/SelfPermit.sol
↓ Expand ↓
Out-of-Scope:
Remediation Commit ID:
Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysisRisk levelRemediation
HAL-06 - LPEth Can Be Drained By Head Of Withdrawal QueueCriticalSolved - 06/28/2024
HAL-08 - Batch Buy Unlocks Can Be Double SpentCriticalSolved - 06/28/2024
HAL-14 - Partially Finalized Amounts Permit Claims In Excess Of DuesCriticalSolved - 06/28/2024
HAL-17 - Denial Of Service Whilst Finalizing WithdrawalsHighSolved - 06/28/2024
HAL-11 - Malicious Liquidity Providers Steal Buy Unlock Excess Through FrontrunningHighSolved - 06/28/2024
HAL-13 - Unlock Redemption Is Vulnerable To Poisoned LiquidityMediumPartially Solved - 06/28/2024
HAL-16 - MinMaxAmount Invariant Can Be CircumventedLowRisk Accepted - 06/28/2024
HAL-04 - Deposit Denial Of Service During Zero LP Supply With Open LiabilitiesLowSolved - 06/28/2024
HAL-01 - Renderer Produces Malformed JSONLowSolved - 06/28/2024
HAL-07 - Unlock Progress Calculations Over Unity Result In Panic RevertLowSolved - 06/28/2024
HAL-15 - Non-Zero Liabilities With Zero Circulating Supply Can Be StolenLowSolved - 06/28/2024
HAL-02 - UUPSUpgradeable Is Not InitializedInformationalSolved - 06/28/2024
HAL-09 - Economic Inefficiency Due To Common Expiration TimeInformationalAcknowledged
HAL-12 - Reduce Code Surface AreaInformationalSolved - 06/28/2024

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2024. All rights reserved.