Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
Mitosis is an ecosystem-owned Layer-1 blockchain that streamlines multi-chain liquidity provision. LPs deposit assets to mint miAssets, govern liquidity allocations across networks and protocols, and enjoy institutional-grade opportunities in a decentralized framework.
Why Did They Need an Audit?
Mitosis’s core contracts—vault management, cross-chain hooks, redemption queues, and strategy execution—coordinate high-stakes fund flows. Any flaw in burning logic, queue resolution, or token transfers could result in vault drains, stuck user funds, or governance deadlocks. Mitosis engaged Three Sigma for a 1.5-week deep dive ahead of its main-net launch.
Scope of the Engagement
Audit Date: 2024-07-16
Type: Code Audit
Results and Findings
Key Critical Issues
Vault burn vs. redeem mismatch
Description: In BasicVault::_redeem(), the contract burned newAmount (post-hook) but enqueued the original amount. A user could request an arbitrarily large amount, get it capped by the hook to a small newAmount, yet queue the inflated request—draining the vault’s idle balance.
Resolution: Modified the enqueue to use newAmount so shares burned always match the queued redemption.
Notable Medium-Severity Issues
Fee-on-transfer tokens break vault accounting
Description:BasicVault assumed a 1:1 transfer ratio. Fee-on-transfer tokens charge a tax, misaligning vault balances vs. share counts.
Resolution: Compute actual = postBalance − preBalance and mint/burn based on actual. Added nonReentrant to guard ERC-777 callbacks.
Missing gas-limit metadata in Cap
Description: The Hyperlane Cap hook lacked proper metadata() gas limits, defaulting to 50 k gas—too low for epoch updates.
Resolution: Overrode metadata() to supply correct per-domain gas caps; recommended upgrading Hyperlane version.
Wrong strategy disabled in executor
Description:StrategyExecutor::disableStrategy() always swapped in the last element, even when disabling the last entry, corrupting the enabled list.
Resolution: Only swap non-last entries; simply pop() when targeting the last index.
Notable Low-Severity & Informational Observations
Disable renounceOwnership() by overriding to prevent accidental loss of control.
Prevent paused-state lockout by disallowing owner renouncement while paused.
Unify manual vs. standard flows: clarify or merge manualDeposit/manualRedeem.
Severity Issues
critical
high
1
informational
Several
medium
6
low
6
Audit Period
1.5 PW
Report
Audit Period
1.5 PW
Severity Issues
critical
high
1
medium
6
low
6
informational
Several
Report
In conclusion
Three Sigma’s 1.5 week audit of Mitosis’s 1,112 nSLOC across vaults, hooks, strategy executors, and queues uncovered one critical redemption flaw and six medium-severity logic gaps. All issues were addressed or acknowledged, ensuring Mitosis’s vault accounting, redemption queues, and cross-chain hooks operate safely and efficiently—paving the way for a robust multi-chain liquidity layer.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
