Voltage Finance is a DeFi protocol offering users yield farming, swapping, and staking functionalities, with a focus on providing liquidity and optimizing returns.
QuillAudits conducted an in-depth security audit of Voltage Finance, identifying and rectifying critical vulnerabilities to enhance the protocol's security and reliability.
The Voltage Finance Protocol is a decentralized finance (DeFi) platform designed to offer an array of yield farming, swapping, and staking opportunities for its users. By leveraging the power of blockchain technology, Voltage Finance aims to create an accessible and efficient DeFi ecosystem.
Voltage Finance is an innovative DeFi protocol enhancing yield farming, swapping, and staking experiences for its community. Built on the Fuse Network blockchain, it focuses on optimized liquidity solutions and diverse staking pools, empowering users to maximize returns with a seamless experience. The platform aims to be inclusive and accessible, catering to users of all experience levels, and establishing itself as a trusted destination for leveraging DeFi opportunities.
The Voltage Finance Protocol, like any advanced DeFi platform, faced intricate security concerns, such as potential exploits in reward distribution mechanisms and liquidity management. Our audit emphasized identifying critical areas like unauthorized access, logic flaws, and reentrancy vulnerabilities, ensuring the protocol's robustness and reliability.
1. Information Gathering
3. Functional Testing:
4. Automated Testing:
5. Reporting & Remediation:
We adopted a combination of white-box and black-box testing techniques to ensure thorough coverage of all potential attack vectors. Our collaborative process with the Voltage Finance team allowed for clear communication and effective resolution of identified vulnerabilities.
Our security audit of the Voltage Finance Protocol uncovered several vulnerabilities that could have been exploited to manipulate rewards, access funds, or alter key parameters:
Our thorough and extensive audit uncovered 2 critical vulnerabilities.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
Discovery:
In the harvestOperation
function of the MasterChefV4
contract, there's a critical issue with how rewards are calculated and distributed. Voltage Finance offers two types of rewards:
These rewards are represented by two variables:
reward
: Represents the amount of Volt tokens to be rewardeddoubleRewards
: Represents the amount of Fuse tokens to be rewardedThe problem occurs when the reward
variable is overwritten with the value of doubleRewards
in the MasterChefV4
contract.
Impact:
This overwriting causes users to receive an incorrect amount of Volt tokens as rewards. Specifically, users end up receiving the amount of Fuse tokens (stored in doubleRewards
) as Volt tokens, instead of the originally calculated Volt token reward. This leads to significant inaccuracies in reward distribution and affects user returns.
Discovery:
In the MasterChefV4
contract, there's an error in how the double reward (Fuse tokens) is transferred to users. The problem lies in using the wrong variable when transferring the double reward.
Impact:
Due to this error, the specified _to
address receives an incorrect amount of Fuse tokens. Instead of receiving the intended doubleReward
amount, they are mistakenly given the value stored in the reward
variable (meant for Volt tokens). This results in the misallocation of rewards and undermines the integrity of the protocol’s reward mechanism.
harvestOperation
function to understand the logic behind reward calculation and distribution. This analysis highlighted the point at which the reward
variable was being incorrectly overwritten by the doubleRewards
value.reward
variable remains intact and solely represents the amount of Volt tokens. This involved separating the calculations for Volt and Fuse token rewards to prevent any overwriting of values.reward
variable instead of doubleRewards
.doubleRewards
variable for the distribution of Fuse tokens. This change guarantees that the correct amount of tokens is sent to the specified _to
address.Impressed by our findings and recommendations, the Voltage Finance developers promptly addressed all identified vulnerabilities.
Through our collaborative efforts, the Voltage Finance Protocol is now significantly more secure, ensuring the protection of user funds.
The Voltage Finance V3 Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Voltage Finance V3 Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!