Dopex - Smart Contract Audit Report


Dopex Audit Report Dopex is a decentralized option protocol which aims to maximize liquidity, minimize losses for option writers and maximize gains for option buyers - all in a passive manner for liquidity contributing participants.

We initially audited Dopex at commit eebcaabcbaaa206ec2b42cf37db4b7a33e877f4b on GitHub.
The Dopex team then made revisions based on our recommendations and we reviewed the updated code at commit fac0fc59fba22b610dcc4b1ee1becdb43e08f1d5 on GitHub.

Audit Findings Summary:
  • No security issues from outside attackers were identified.
  • Please note that the code is still in development. The code that was reviewed by our team for this audit is not the final code to be used in production.
  • Investing requires placing trust in the project team as they have substantial power in the ecosystem.
  • Date: April 11th, 2021.
Notes on Individual Contracts
  • This is the main contract which contains a registry of all other contracts to be used by the Dopex platform.
  • On our recommendation, the team removed redundant code to simplify the contract and to save gas on calls and deployment.

  • OptionPoolFactory:
  • Factory contract to create option pool contracts and maintain a whitelist of option pool contracts.
  • The team made a revision to declare the create() function External to save on gas.

  • OptionPool:
  • This contract allows for passive participation in option liquidity pools for a specified base and quote asset pair (eg. ETH-USD) where users passively write options.
  • Deposits (profits included) can be withdrawn at the end of an epoch for active pool participants.
  • The team modified the expireOptionContract() function on our recommendation as there was an opportunity to improve efficiency by reducing redundant variable definitions.

  • OptionsFactory:
  • This is the factory contract to create option contracts based on given base/quote asset, strike and expiry combination.
  • This can only be called by the Broker contract.
  • Our team did not find any vulnerabilities or areas to improve efficiency upon reviewing this contract.

  • OptionsContract:
  • This contract stores collateral and allows for depositing underlying assets and the exercising of options.
  • Users will earn doTokens on their collateral.
  • New options contracts can only be created by OptionsFactory.
  • The team modified the contract to avoid unnecessary storage that was occurring.

  • OptionPoolBroker:
  • This contract is used for option purchases, exercises, swaps and liquidations across all option pools within the Dopex protocol.
  • There were several instances of division occuring before multiplication within the contract, which the team resolved in their updated commit.

  • VolPool:
  • This contract is the Pool that holds funds prior to a global epoch allowing depositors to access an instant discount on option purchases for that epoch across all Dopex option pools.
  • The team resolved an issue where there was an uninitialized variable for the "volPoolPenalty". This was cleared up in the latest commit by allowing it to be set in the constructor.
  • The team revised a series of functions to declare them external instead of public to save on gas.

  • AssetSwapper:
  • Asset swapper uses funds from option exercises and option sales in option pools to replenish base/quote assets required for option pools in whitelisted OptionPool contracts.
  • The contract was optimized by streamlining logic around Uniswap approvals.

  • PriceOracle:
  • This is the contract used to determine last price and implied volatility values via Chainlink adapters. These values are referred to throughout the protocol.

  • Synth:
  • This contract is used to generate whitelisted synthetic assets using DPX tokens as collateral.
  • The platform utilizes the UMA protocol's token generation mechanisms.

  • OptionPoolRebates:
  • This contract is used to calculate and distribute rebates in the form of rDPX tokens which are claimable after epochs for whitelisted option pools.
  • Our team did not find any vulnerabilities or areas to improve efficiency upon reviewing this contract.

  • DopexRewards:
  • This contract distributes DPX tokens for function calls and actions performed within the protocol based on the token emission curve for all whitelisted option pools.
  • This operates as an incentive for users to pay execution costs to benefit the protocol by providing them with a stipend in the form of tokens.
  • There were several instances of division occuring before multiplication within the contract, which the team resolved in their updated commit.
  • The team reduced duplicate logic and optimized the contract by reducing the number of external function calls.

  • Security Best Practices:
  • The Dopex GitHub includes dozens of passing test cases.
  • Proper structuring of logic to prevent reentrancy attacks.
  • The contracts utilize the SafeMath library and SafeERC20 interfaces to prevent overflows throughout the contracts.

External Threats - Audit Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
External CallsN/APASS
External Service ProvidersN/APASS
Flash LoansN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
Reentrancy IssuesN/APASS
State Change External CallsN/APASS
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS