Origin Governance Audit

Published on: 06.07.2022
Origin Governance Audit

Origin governance audit was conducted by OpenZeppelin. The OpenZeppelin team audited a governance system for OriginProtocol. The contracts allow users to stake their tokens to receive voting power and be rewarded with additional OGV tokens.

The system enables users to participate in the governance of the Origin Protocol by staking their OGV tokens, allowing users to earn more OGV as a staking reward. Furthermore, the staking contract OgvStaking allows OGV governance tokens to be staked to obtain non-transferable ERC20Votes-based tokens called OGVe which can participate in a GovernorBravo—compatible governance vote.

The minimum and maximum lockup periods are 7 and 1461 days, respectively. In addition, each staker earns OGV tokens at a pre-configured daily total rate set per time interval and emitted from the RewardSource contract. The OGVe tokens are awarded based on a constant inflation factor of 80% per year in relation to the end of the staking lockup period.

Security Considerations

  • Due to an initial voting delay of 1 block in the governance contract, we assume a delay between the deployment of OgvStaking and the transfer of assets or privileges to Governance, such that there is at least sufficient time for stakers to have received and delegated their voting shares before the governance contract becomes active. Further, we assume the cancellation of all proposals in the timelock queue directly prior to the transfer of assets or privileges to Governance prevents the execution of proposals that have been passed before the completion of the voting shares distribution.
  • Based on the disabled transfer functionality OGVe and the minimum staking duration of 7 days, flash-loan-based governance attacks are mitigated.
  • Due to a lack of external calls outside of the contract ecosystem, the functions within OgvStaking appear inherently safe against reentrancy. However, the OGV token is based on an upgradable proxy. A future upgrade introducing transfer hooks with user-controllable data could render the thecollectRewards function vulnerable to reentrancy.
  • The PRBMthUD60x18 contract of the paulrberg/prb-math library is assumed to operate correctly if all operands and results can be expressed as a number with a 60-digit integer field and an 18-digit fractional field.

AUDIT FINDINGS

Extending the staking duration discards rewards

In the OgvStaking contract, updating a user’s rewards is a two-step process. First, the internal function _collect rewards must be called, which updates the accumulated per share rewards. For all users and then computes and transfers an individual user’s total outstanding rewards.

Moreover, the computation of a user’s outstanding rewards uses the mapping rewardDebt for internal bookkeeping. Because rewardDebt contains a user’s debt in absolute terms. It can only be updated as a second step outside of the _collectReward function. Additionally, after a potential change of the user’s stake has been accounted for. In effect, user rewards can only be computed correctly if a call to _collectRewards is jointly used with an update of rewardDebt

The function extends only performs an update on rewardDebt without a prior call to the  _collectReward function. Hence, it always discards the rewards earned by a user instead of paying them out.

ABOUT OpenZeppelin
OpenZeppelin
provides security products to build, automate, and operate decentralized applications. They also protect leading organizations by performing security audits on their systems and products.

Website | Twitter

ABOUT Origin Protocol
Origin’s mission
is to bring non-fungible tokens (NFTs) and decentralized finance (DeFi) to the masses.

Website | Twitter

RESOURCES
OpenZeppelin

Tags:
Market Stats:
BTC Dominance: 57.16%(+0.15%/24h)
ETH Dominance: 12.11%(-0.07%/24h)
Defi Market Cap: $115.01B(-4.10%/24h)
Total Market Cap: $3310.58B(-4.07%/24h)
Total Trading Volume 24h: $124.54B(+6.66%/24h)
ETH Market Cap: $401.21B
Defi to ETH Ratio: 28.67%
Defi Dominance: 3.33%
Altcoin Market Cap: $1418.1B
Altcoin Volume 24h: $78.26B
Total Cryptocurrencies: 33017
Active Cryptocurrencies: 10485
Active Market Pairs: 95389
Active Exchanges: 772
Total Exchanges: 9809
BTC: 95581.12$(0.02%/1H)
ETH: 3330$(0.27%/1H)
AVAX: 37.21$(-0.02%/1H)
BNB: 686.99$(0.01%/1H)
MATIC: 0.47$(-0.36%/1H)
FTM: 0.87$(0.14%/1H)
ADA: 0.86$(0.21%/1H)
DOT: 6.92$(-0.47%/1H)
UNI: 13.27$(0.14%/1H)
CAKE: 2.43$(0.31%/1H)
SUSHI: 1.43$(0.32%/1H)
ONE: 0.03$(0.19%/1H)