DESCRIPTION
Magpie launched Radpie, a yield optimization protocol built upon Radiant. Users could deposit their assets on Radpie to earn enhanced yields.
This audit only covers the contracts listed in the report from the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. During this audit, our presumption is that the dependencies from Radiant are both reliable and secure and therefore excluded from this audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Magpie team has addressed the discovered issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 13 potential issues in the smart contract. We also have 5 recommendations and 7 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Inconsistent address parameter | Software Security | Fixed |
| 2 | High | Potential reverts in the _refundETH function |
Software Security | Fixed |
| 3 | High | Incorrect parameter in the _harvestDlpRewards function |
Software Security | Fixed |
| 4 | Medium | Incorrect return value of the assetPerShare function |
Software Security | Fixed |
| 5 | Low | Potential DoS risk in the claim function |
Software Security | Confirmed |
| 6 | Low | Potential overwriting on existing poolInfo |
Software Security | Fixed |
| 7 | High | Double-counting rewards | DeFi Security | Fixed |
| 8 | High | Incorrect _onlyWhiteListed modifier |
DeFi Security | Fixed |
| 9 | Medium | Lack of duplicate checks for function arguments | DeFi Security | Fixed |
| 10 | Medium | Incorrect fee removal logic | DeFi Security | Confirmed |
| 11 | Medium | Lack of sanity check on total fee | DeFi Security | Confirmed |
| 12 | Medium | Unclaimable rewards due to rewarder modification | DeFi Security | Fixed |
| 13 | Medium | Lack of health check | DeFi Security | Fixed |
| 14 | - | Remove unused variable | Recommendation | Fixed |
| 15 | - | Remove redundant check in the \_sendRewards function |
Recommendation | Fixed |
| 16 | - | Prevent multiple native tokens | Recommendation | Fixed |
| 17 | - | Prevent accidental native token transfers | Recommendation | Fixed |
| 18 | - | Avoid incorrect assignment | Recommendation | Fixed |
| 19 | - | The protocol will not support deflation/inflation tokens | Note | - |
| 20 | - | Potential centralization risk | Note | - |
| 21 | - | Periodic invocation of batchHarvestDlpRewards |
Note | - |
| 22 | - | Periodic invocation of batchHarvestEntitledRDNT |
Note | - |
| 23 | - | Ensure initial TVL in RadiantStaking pools |
Note | - |
| 24 | - | The initialization of vdToken balance | Note | - |
| 25 | - | Periodic invocation of accrueStreamingFee |
Note | - |
More details are provided in the audit report.