In March 2021, Liquity engaged Coinspect to perform its second third-party source code review of the smart contracts that comprise the Liquity Protocol. The goal of the project was to evaluate the security of the smart contract system. The reviewed Solidity code is well written and very clear. The documentation is extensive, and includes formal mathematical proofs for the correctness of the math behind the protocol. A complete set of tests with almost perfect coverage is included in the repository as well.
Coinspect identified a high risk issue (CI-LQY-01) about a missing requirement in function closeTrove that allows forcing the system to enter Recovery Mode in order to liquidate troves. This finding was promptly fixed by Liquity’s team during the assessment and the resulting code was verified by Coinspect.
The medium risk issue CI-LQY-03 shows how attackers could leverage flash loans to inflate system fees, especially during the first period after deployment when the system is expected to have low total debt, in the context of low participation in the LQTY staking pool.
The medium risk issue CI-LQY-04 calls attention to how after the introduction of batch liquidations, the liquidators incentives are misaligned with the system total collateralization ratio and could affect the health of the system during a ETH price drop.
The low risk issue CI-LQY-02 about missing checks in the liquidateBatch function has been correctly addressed by Liquity’s team.
Off-chain components such as the front-end were out of scope for this assessment, and it is recommended to audit them in the future.
We invite you to download and read the detailed report below.
