Mitosis is an ecosystem-owned Layer-1 blockchain that streamlines multi-chain liquidity provision. LPs deposit assets to mint miAssets, govern liquidity allocations across networks and protocols, and enjoy institutional-grade opportunities in a decentralized framework.
Why Did They Need an Audit?
Mitosis’s core contracts—vault management, cross-chain hooks, redemption queues, and strategy execution—coordinate high-stakes fund flows. Any flaw in burning logic, queue resolution, or token transfers could result in vault drains, stuck user funds, or governance deadlocks. Mitosis engaged Three Sigma for a 1.5-week deep dive ahead of its main-net launch.
Scope of the Engagement
Audit Date: 2024-07-16
Type: Code Audit
Results and Findings
Key Critical Issues
Vault burn vs. redeem mismatch
Description: In BasicVault::_redeem(), the contract burned newAmount (post-hook) but enqueued the original amount. A user could request an arbitrarily large amount, get it capped by the hook to a small newAmount, yet queue the inflated request—draining the vault’s idle balance.
Resolution: Modified the enqueue to use newAmount so shares burned always match the queued redemption.
Notable Medium-Severity Issues
Fee-on-transfer tokens break vault accounting
Description:BasicVault assumed a 1:1 transfer ratio. Fee-on-transfer tokens charge a tax, misaligning vault balances vs. share counts.
Resolution: Compute actual = postBalance − preBalance and mint/burn based on actual. Added nonReentrant to guard ERC-777 callbacks.
Missing gas-limit metadata in Cap
Description: The Hyperlane Cap hook lacked proper metadata() gas limits, defaulting to 50 k gas—too low for epoch updates.
Resolution: Overrode metadata() to supply correct per-domain gas caps; recommended upgrading Hyperlane version.
Wrong strategy disabled in executor
Description:StrategyExecutor::disableStrategy() always swapped in the last element, even when disabling the last entry, corrupting the enabled list.
Resolution: Only swap non-last entries; simply pop() when targeting the last index.
Notable Low-Severity & Informational Observations
Disable renounceOwnership() by overriding to prevent accidental loss of control.
Prevent paused-state lockout by disallowing owner renouncement while paused.
Unify manual vs. standard flows: clarify or merge manualDeposit/manualRedeem.
Blockchain security isn't optional.
Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
Three Sigma’s 1.5 week audit of Mitosis’s 1,112 nSLOC across vaults, hooks, strategy executors, and queues uncovered one critical redemption flaw and six medium-severity logic gaps. All issues were addressed or acknowledged, ensuring Mitosis’s vault accounting, redemption queues, and cross-chain hooks operate safely and efficiently—paving the way for a robust multi-chain liquidity layer.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
