Synthetix PR-435 Smart Contract Audit | iosiro

Synthetix PR-435 Smart Contract Audit

This is a limited report on our findings based on our analysis, in accordance with good industry practice as at the date of this report, in relation to: (i) cybersecurity vulnerabilities and issues in the smart contract source code analysed, the details of which are set out in this report, (Source Code); and (ii) the Source Code compiling, deploying and performing the intended functions. In order to get a full view of our findings and the scope of our analysis, it is crucial for you to read the full report. While we have done our best in conducting our analysis and producing this report, it is important to note that you should not rely on this report and cannot claim against us on the basis of what it says or doesn’t say, or how we produced it, and it is important for you to conduct your own independent investigations before making any decisions. We go into more detail on this in the below disclaimer below – please make sure to read it in full.

DISCLAIMER: By reading this report or any part of it, you agree to the terms of this disclaimer. If you do not agree to the terms, then please immediately cease reading this report, and delete and destroy any and all copies of this report downloaded and/or printed by you. This report is provided for information purposes only and on a non-reliance basis, and does not constitute investment advice. No one shall have any right to rely on the report or its contents, and Zenoic Proprietary Limited trading as “Iosiro” and its affiliates (including holding companies, shareholders, subsidiaries, employees, directors, officers and other representatives) (Iosiro) owe no duty of care towards you or any other person, nor does Iosiro make any warranty or representation to any person on the accuracy or completeness of the report. The report is provided "as is", without any conditions, warranties or other terms of any kind except as set out in this disclaimer, and Iosiro hereby excludes all representations, warranties, conditions and other terms (including, without limitation, the warranties implied by law of satisfactory quality, fitness for purpose and the use of reasonable care and skill) which, but for this clause, might have effect in relation to the report. Except and only to the extent that it is prohibited by law, Iosiro hereby excludes all liability and responsibility, and neither you nor any other person shall have any claim against Iosiro, for any amount or kind of loss or damage that may result to you or any other person (including without limitation, any direct, indirect, special, punitive, consequential or pure economic loss or damages, or any loss of income, profits, goodwill, data, contracts, use of money, or business interruption, and whether in delict, tort (including without limitation negligence), contract, breach of statutory duty, misrepresentation (whether innocent or negligent) or otherwise under any claim of any nature whatsoever in any jurisdiction) in any way arising from or connected with this report and the use, inability to use or the results of use of this report, and any reliance on this report.

This post provides a summary of a security audit performed on 28 February 2020 by iosiro on changes made to the [Synthetix](https://www.synthetix.io) smart contracts that introduced a minimum staking period. The goal of the audit was to ensure that the smart contracts functioned as intended and to identify potential security flaws.

### Scope
The scope of the assessment was limited to changes to the smart contracts introduced in the following PRs:

* [PR-435](https://github.com/Synthetixio/synthetix/pull/435/files/b12795825c16ab5c7ed3b9c465aa08c70693282e)
* [PR-438](https://github.com/Synthetixio/synthetix/pull/438/files/5943c76bfa33afe30c5fc2c96cde78c65667216d)

### Description
The purpose of PR-435 was to introduce a minimum staking period. It added a requirement to the system that an account must wait at least `minimumStakeTime` seconds (with a default value of 8 hours) from the last time it issued sUSD before it would be allowed to burn sUSD. Any new issuance of sUSD in the waiting period would restart the waiting period for the account.

The `burnSynthsToTarget(address from)` function was introduced to burn the requisite amount of sUSD to adjust an account's c-ratio to the target ratio required for claiming fees. Importantly, this function was not subject to the minimum staking time and did not force the account to settle fees generated through [SIP-37](https://sips.synthetix.io/sips/sip-37). This meant that users could still balance their c-ratio even if they had recently issued sUSD.

### Findings
No substantial issues were found during the audit. No potential security issues were identified and the code in scope operated as intended. The code was of a high standard and used a simple, concise implementation of the desired functionality.

Secure your system.

Request a service