Originally published at: https://blog.openzeppelin.com/instadapp-audit-summary/
InstaDApp is an autonomous banking portal that runs on top of emerging blockchain-based financial protocols such as MakerDAO, Uniswap, or Compound. Its mission is to simplify everyday banking needs, such as taking loans, lending money, swapping tokens, and taking leveraged positions.
InstaDApp provides an interface on top of other DeFi protocols. Its target userbase is users who lack advanced technical or financial experience. It helps users manage CDPs, including providing the ability to wipe or add collateral to 3rd-party CDPs, keep track of CDP activity via email or Telegram, and save gas by bundling transactions. For example, a user with a CDP can withdraw Dai, buy ETH, and lock that ETH, all with a single transaction.
System Overview
The core of InstaDApp consists of two top-level contracts: UserWallet
and InstaRegistry
. The InstaRegistry
contract is used to deploy new UserWallet
instances, track the ownership of UserWallet
instances that it deploys, and approve/disapprove logic proxy contracts that can be used by the UserWallet
instances that it has deployed. It is not intended to hold any valuable assets.
The UserWallet
contracts are the only contracts intended to hold any valuable assets. They are built using a proxy pattern that allows their functionality to be extended using proxy logic contracts that have been approved by the InstaRegistry contract. Proxy logic contracts can be approved by the InstaRegistry
contract in one of two ways: “standard”, or “static”.
When the InstaRegistry
contract approves a proxy logic contract as “static”, it can never be disapproved in the future. This means that users can be sure they’ll always have access to any functionality provided by a static logic proxy — even if the InstaRegistry
contract admins later become malicious or compromised. Static logic proxies could be used, for example, to provide all functionality needed for users to withdraw funds from their UserWallet
.
When the InstaRegistry
contract approves a proxy logic contract as “standard”, it can be disapproved in the future. Classifying logic proxies this way gives InstaDApp the flexibility to introduce new features or business models that it can later remove.
Summary of Findings
We audited the UserWallet
and InstaRegistry
contracts (and all contracts from which they inherit). We did not find any critical or high-severity issues. We particularly liked how the InstaDApp team separated “standard” and “static” logic proxies in an effort to limit the damage that a malicious or compromised InstaRegistry
admin could cause. While a malicious InstaRegistry
admin could add a malicious logic proxy and try to trick a user into invoking it, they would never be able to prevent a user from withdrawing their assets from the InstaDApp system — assuming the logic needed to exit had already been approved as static logic.
We did not audit any logic proxy contracts as part of this audit. Since proxy logic contracts can be used to manipulate the state of UserWallet
contracts when they are invoked by owners of the UserWallet
(including transferring valuable assets out of the wallet), we recommend that any proxy logic contracts also be audited.
We found a few interesting medium and low severity issues and offered some suggestions on how to fix them. Some of the more interesting ones include:
- Transfers of wallet ownership may be DoSed by an active attacker.
- Transactions in which new wallets are created can be made to fail by an active attacker.
- One of the events returns a data position rather the data itself.
We proposed some additional changes to follow best practices, improve extensibility, and reduce potential attack surface.
Audit Report
For more details and information you can read the full report.