three sigma logo
Ojo Network

Code Audit

Ojo Network

A decentralized network providing AI-driven data privacy and secure computations.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Ojo provides an exchange-rate oracle for Mellow-curated Liquid Restaking Tokens (LRTs).

Unlike simple “1 LRT = 1 underlying asset” feeds, Ojo’s oracle divides the vault’s total asset value by total shares, outputting a Morpho-compatible price even when the vault holds several base tokens.

Why Did They Need an Audit?

Because Morpho markets rely on the feed to set collateral factors, any mis-scaled answer could under- or over-value an entire asset class. Ojo asked Three Sigma for a fast turn-around review to ensure:

  • correct decimal scaling for every vault,
  • graceful behaviour if the vault later adds multiple base assets,
  • safe ownership and updater permissions.

Scope of the Engagement

  • Files audited: CloneFactory.sol, MellowPriceFeed.sol
  • Timeline: 16 Oct 2024 – 17 Oct 2024
  • Team: 1 auditor - 2 days
  • Chain: Ethereum

Audit Date: 2024-10-16

Language: Solidity

Type: Code Audit

Results and Findings

Notable Low-Severity Issues

Hard-coded 18-decimals scaling

  • Description: MellowPriceFeed multiplied the raw Q96 ratio by 1 e18 regardless of the priceFeedDecimals stored in the constructor. Vaults requiring, e.g., 6-dec feeds would have returned values off by 1e12.
  • Resolution: Replaced the constant with 10**priceFeedDecimals (commit ad88fe1).

Unclear behaviour if vault adds more base tokens

  • Description: The current vault holds exactly one asset, so getTargetRatiosX96() always returns 1e18. If the vault ever diversifies, the price-feed’s ratio could shift unexpectedly.
  • Resolution: team documented the oracle’s expected behaviour and will deploy a new feed per multi-asset vault (commit 065a63f).

Severity Issues

critical
high

0

informational

1

medium

0

low

1

Audit Period

2 Days

Report

In conclusion

Three Sigma’s rapid review confirmed Ojo’s oracle is sound after a minor decimal-scaling fix and clearer documentation on future multi-asset support. With these adjustments in place, Morpho markets can safely rely on Ojo’s exchange-rate feed for LRT collateralisation.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today