Security assessment of multiplier.finance

Uncategorized Leave a comment

In this post, we will talk specifically about the work we performed as part of our security assessment of the Multiplier.Finance environment. The public report provided to the Multiplier team will be published within the FAQ section of their web portal.

Executive Summary: There are no unresolved security findings present in the system following our review. There are zero (0) critical, high, or medium vulnerabilities in our final audit report.

The Multiplier.Finance environment is a multi-tier infrastructure within AWS, operated on Binance Smart Chain (BSC), and uses its own governance tokens (bMXX). Even though, they had completed an initial audit of their smart contracts, the Multiplier team wished to bring additional confidence to their community with a completed review of the entire infrastructure and deployment environment.

When Kudelski approaches an engagement such as one of the scope of this, we propose a multiple-phase review because security is always much larger than just a smart contract review. Security of an “App” or a “DAPP” or a “Site” is about the infrastructure, flows, contracts, wallets, and any other ingress and egress flows and control points that could impact the money flow. Even though the math under a blockchain is very solid at this point, contracts and infrastructure are not inherently secure, so it is the sign of a mature project to ask for a complete assessment of their work.

Initially, we performed a re-review of the Smart Contracts as it is always best practice to have multiple reviews of critical components, and our review of the Smart Contract code was the 2nd such review. We found no critical or high risk issues in the smart contracts, and all of our low/informational findings were related to dependencies or minor concerns with style or flow.

The code that we reviewed resides in a public repository at https://github.com/Multiplier-Finance/MCL-SmartContracts.

The reviews are based on the commit hash:
MCL-SmartContracts: cff17d6e07b51e7468a4aba72ae83b309b98d561

All third-party libraries were deemed out-of-scope for this review and are expected to work as designed. Based on the criticality of the dependency, we looked at the current state of the third-party libraries included when necessary.

Our general process for this review included:

Threat Model & Architecture Review

  • Validate technical design claims and cryptographic coding underlying the behavior and intent of the technical systems written in the smart contracts
  • Deliver focused analysis of scenarios of system abuse through error or malicious actors
  • Deliver analysis of fundamental correctness of transactions

Code Review

  • Perform a code-review of provided code, especially focusing on code written by the internal team, assuming third-party libraries act as expected
  • Validate implementation choices in code, completeness, and assumptions according to the design provisions and deployment

Recommendations

  • Provide recommendations for security and logic related improvements and corrections to the code, infrastructure, and architecture, if found

We maintained a complete and consistent view across the known components and followed a systematic approach as we conducted the threat model workshop and code review. First threat actors of concern were identified and data flows between the system components were requested. Based upon the understanding of each component from documentation and the interviews, remote follow-up meetings were held with team members of Multiplier.Finance for clarification of any technical or functional details, followed by a code review.

In addition to infrastructure, the following scenarios were in scope for the Threat Model & Assessment:

  • KSI-001: Using components with known vulnerabilities
  • KSI-002: Lack of input validation that results in a loss of funds
  • KSI-003: Market manipulation through collusion or market flooding
  • KSI-004: Direct execution of delegate contracts in multi- phase process
  • KSI-005: Replay of valid transaction
  • KSI-006: Weakness to front running attacks
  • KSI-007: The use of inherently weak randomness to generate confidential values
  • KSI-008: Owner tampering and manipulation
  • KSI-009: Misuse of Solidity functions for determining contract ownership

Upon analysis of the infrastructure, contracts, and control points – we determined that the Multiplier team has handled all of these threat scenarios effectively.

As a result of our code review & assessment, we discovered 0 High, 0 Medium, 3 Low, and 15 Informational findings. The Multiplier team resolved all of these findings to our satisfaction.

We want to thank the Multiplier team for choosing Kudelski Security.

About Multiplier Finance

Multiplier.Finance operates a system known as “Multi-Chain Lend.” Multi-Chain (Lend) is an algorithmic money market system designed to bring secure and unique lending and borrowing opportunities like flash loans onto the Binance Smart Chain. The protocol designs are architected and forked based on Aave with revenue sharing components for liquidity providers and token holders that govern the protocol. bMXX, a BEP-20 token, will be the governance token of Multi-Chain (Lend).

Leave a Reply