Introduction

iosiro was commissioned by Synthetix to perform a smart contract audit of their USDC18 ERC-20 token contract. One auditor conducted the audit on 26 November 2024, using 1 audit day.

Overview

The USDC18 contract is an ERC-20 wrapper used to upscale USDC to 18 decimals. This contract was written to allow USDC to be used as margin in Synthetix v2x on Optimism and Ethereum mainnet.

The audit found one low-risk and two informational issues. The low-risk issue relates to precision loss and could cause the contract's USDC balance to diverge from its USDC18 supply over time. Such a divergence, however, is expected to be negligible, and thus the issue was closed.

The two informational issues related to secure coding practices and were resolved during the audit.

Scope

The assessment focused on the source file listed below, with all other files considered out of scope. Any out-of-scope code interacting with the assessed code was presumed to operate correctly without introducing functional or security vulnerabilities.

• Project name: usdc_18
• Initial audit commit: e70fb77
• Final review commit: aae7d9a
• Files: USDC.sol

Disclaimer

This report aims to provide an overview of the assessed smart contracts' risk exposure and a guide to improving their security posture by addressing identified issues. The audit, limited to specific source code at the time of review, sought to:

• Identify potential security flaws.
• Verify that the smart contracts' functionality aligns with their documentation.

Off-chain components, such as backend web application code, keeper functionality, and deployment scripts were explicitly not in-scope for this audit.

Given the unregulated nature and ease of cryptocurrency transfers, operations involving these assets face a high risk from cyber attacks. Maintaining the highest security level is crucial, necessitating a proactive and adaptive approach that accounts for the experimental and rapidly evolving nature of blockchain technology. To encourage secure code development, developers should:

• Integrate security throughout the development lifecycle.
• Employ defensive programming to mitigate the risks posed by unexpected events.
• Adhere to current best practices wherever possible.

Methodology

The audit was conducted using the techniques described below.

Code review

The source code was manually inspected to identify potential security flaws. Code review is a useful approach for detecting security flaws, discrepancies between the specification and implementation, design improvements, and high-risk areas of the system.

Dynamic analysis

The contracts were compiled, deployed, and tested in a test environment, both manually and through the test suite provided. Dynamic analysis was used to identify additional edge cases, confirm that the code was functional, and to validate the reported issues.

Automated analysis

Automated tooling was used to detect the presence of various types of security vulnerabilities. Static analysis results were reviewed manually and any false positives were removed. Any true positive results are included in this report.

Audit findings

The table below provides an overview of the audit's findings. Detailed write-ups are provided below.

Each issue identified during the audit has been assigned a risk rating. The rating is determined based on the criteria outlined below.

Critical risk

The issue could result in the theft of funds from the contract or its users.

High risk

The issue could result in the loss of funds for the contract owner or its users.

Medium risk

The issue resulted in the code being dysfunctional or the specification being implemented incorrectly.

Low risk

A design or best practice issue that could affect the ordinary functioning of the contract.

Informational

An improvement related to best practice or a suboptimal design pattern.

In addition to a risk rating, each issue is assigned a status:

Open

The issue remained present in the code as of the final commit reviewed and may still pose a risk.

Resolved

The issue was identified during the audit and has since been satisfactorily addressed, removing the risk it posed.

Closed

The issue was identified during the audit and acknowledged by the developers as an acceptable risk without actioning any change.

IO-SNX-U18-001 Precision loss in withdraw function

When calling the withdraw() function, there’s a potential precision loss of any value less than 6 decimals. This error can accumulate over time and could result in a discrepancy between the total supply of USDC18 and the USDC stored in the contract (i.e. USDC18.totalSupply() ≠ USDC18.getUSDCBalance() ).

Recommendation

This issue may be mitigated by changing the amount burned on withdraw from a user-supplied value to either an amount that is modded by the DECIMAL_CONVERTER or the downscaled value rescaled back up to an 18 decimal value.

However, this might not be necessary as the amount should be fairly negligible.

Client response

The discrepancy between the contract's USDC balance and total supply of USDC18 is expected to be negligible.

IO-SNX-U18-002 Missing address validation

The constructor could validate USDC.decimals() is non-zero to ensure that a legitimate ERC20 token address is passed in. This would prevent the contract from being bricked on creation.

Client response

Fixed in aae7d9a.

IO-SNX-U18-003 Unnecessary use of nonReentrant

The nonReentrant modifier is not necessary for the deposit() and withdraw() functions as there is no way to reenter through these functions.

Client response

Fixed in aae7d9a.

Test coverage report

The coverage report of the provided tests as on the final day of the audit is given below.