three sigma logo
Mitosis

Code Audit

Mitosis

A network for programmable liquidity, optimizing decentralized finance liquidity management.

Audit Report

Severity Issues

critical
high

1

informational

Several

medium

6

low

6

Audit Period

1.5 PW

Report

Introduction

Mitosis is an ecosystem-owned Layer-1 blockchain that streamlines multi-chain liquidity provision. LPs deposit assets to mint miAssets, govern liquidity allocations across networks and protocols, and enjoy institutional-grade opportunities in a decentralized framework.

Why Did They Need an Audit?

Mitosis’s core contracts—vault management, cross-chain hooks, redemption queues, and strategy execution—coordinate high-stakes fund flows. Any flaw in burning logic, queue resolution, or token transfers could result in vault drains, stuck user funds, or governance deadlocks. Mitosis engaged Three Sigma for a 1.5-week deep dive ahead of its main-net launch.

Scope of the Engagement

image

Audit Date: 2024-07-16

Type: Code Audit

Results and Findings

Key Critical Issues

Vault burn vs. redeem mismatch

  • Description: In BasicVault::_redeem(), the contract burned newAmount (post-hook) but enqueued the original amount. A user could request an arbitrarily large amount, get it capped by the hook to a small newAmount, yet queue the inflated request—draining the vault’s idle balance.
  • Resolution: Modified the enqueue to use newAmount so shares burned always match the queued redemption.

Notable Medium-Severity Issues

Fee-on-transfer tokens break vault accounting

  • Description: BasicVault assumed a 1:1 transfer ratio. Fee-on-transfer tokens charge a tax, misaligning vault balances vs. share counts.
  • Resolution: Compute actual = postBalance − preBalance and mint/burn based on actual. Added nonReentrant to guard ERC-777 callbacks.

Missing gas-limit metadata in Cap

  • Description: The Hyperlane Cap hook lacked proper metadata() gas limits, defaulting to 50 k gas—too low for epoch updates.
  • Resolution: Overrode metadata() to supply correct per-domain gas caps; recommended upgrading Hyperlane version.

Wrong strategy disabled in executor

  • Description: StrategyExecutor::disableStrategy() always swapped in the last element, even when disabling the last entry, corrupting the enabled list.
  • Resolution: Only swap non-last entries; simply pop() when targeting the last index.

Notable Low-Severity & Informational Observations

  • Disable renounceOwnership() by overriding to prevent accidental loss of control.
  • Prevent paused-state lockout by disallowing owner renouncement while paused.
  • Unify manual vs. standard flows: clarify or merge manualDeposit/manualRedeem.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

In conclusion

Three Sigma’s 1.5 week audit of Mitosis’s 1,112 nSLOC across vaults, hooks, strategy executors, and queues uncovered one critical redemption flaw and six medium-severity logic gaps. All issues were addressed or acknowledged, ensuring Mitosis’s vault accounting, redemption queues, and cross-chain hooks operate safely and efficiently—paving the way for a robust multi-chain liquidity layer.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today