Malda: Lending audit report

Project Information

CATEGORY

Smart Contracts, zkVM

NETWORK

Solidity

WEBSITE

https://malda.xyz/

DESCRIPTION

From Jan. 20, 2025 to Feb. 18, 2025, Malda engaged Veridise to conduct a security assessment of their Malda lending protocol. The security assessment covered the Malda smart contracts, as well as a Rust program intended to be run in the Risc Zero zkVM. This report focuses on only the smart contracts. A companion report discusses the findings from the coincident zk-coprocessor review. Veridise conducted the first assessment over 12 person-weeks, with 3 security analysts reviewing the project over 4 weeks. Following this review, Malda engaged Veridise from Mar. 24 to Mar. 27 to conduct a security assessment of the Malda L1 Inclusion feature. The second assessment occurred over 8 person-days, with 2 security analysts reviewing the project over 4 days. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts as well as thorough code review.

Audit Report

DURATION

12 person-weeks, 8 person-days

COMPLETED

May 20, 2025

View Audit Report

SCOPE

The scope of the initial security assessment at commit fde7102d is limited to the src/ folder of the source code provided by the Malda developers, which contains the smart contract implementation of the Malda lending protocol. Within src/, the following contracts were excluded:

  • src/Counter.sol
  • src/libraries/BytesLib.sol
  • src/libraries/CREATE3.sol
  • src/oracles/ChainlinkOracle.sol

Additionally, the developers indicated that src/rebalancer/messages/LZMessageOnlyBridge.sol would not be used by the protocol.
During the security assessment, the Veridise security analysts referred to the excluded files but assumed that they have been implemented correctly.

The scope of the second security assessment at commit e1bba48a is limited to changes in the following files of the source code provided by the developers:

  • src/Operator/Operator.sol
  • src/Operator/OperatorStorage.sol
  • src/interfaces/IOperator.sol
  • src/interfaces/ImTokenGateway.sol
  • src/interfaces/ImErc20Host.sol
  • src/mToken/host/mErc20Host.sol
  • src/mToken/BatchSubmitter.sol
  • src/mToken/extension/mTokenGateway.sol
  • src/mToken/mTokenStorage.sol
  • src/verifier/ZkVerifier.sol
  • src/libraries/mTokenProofDecoderLib.sol

The changes in the fix review include the implementation of an outflow volume limit on protocol actions which limits the outflow of funds from the host, addition of the L1 inclusion check as part of the slow lane implementation and some general refactoring.

Total Findings
0
Mitigated
0
Critical Severity
0
High Severity
0
Medium Severity
0
Low Severity
0

Considering an audit?
Contact us today!

Contact Us