Security & Audits

Security is a key focus. The DEX has a modular structure that is composed of contracts that have undergone extensive auditing and bounty programmes which we label under inherited security. New codebases like the Nest and changes to exsisting code have been audited through bug bounty contests on Code4rena and Hats Finance.

Inherited Security

Fenix inherits an extensively tested codebase that originates from the first Solidly protocol developed by Andre Cronje on Fantom in 2022. There have been no security related incidents involving these contracts since launch. More specifically, Fenix inherits the Thena and Chronos implementations that have undergone V1 and V2 updates that were audited by Peckshield and OpenZeppelin respectively. No open security incidents have been seen. The Algebra Integral Engine that powers the UNIV3 and plugin/hook functions on Fenix has undergone multiple audits including a recent whole codebase audit by Paladin. Algebra AMM code has experienced no vulnerabilities. The Fenix Liquidity Hub is a fork of the UniswapX contract that was audited by OpenZepplin and is described as having a high level of security. The Fenix asymmetric liquidity AMM for automated trading strategies built by Bancor has undergone in depth ChainSecurity and PeckShield audits. The codebase was found to provide a high level of security and additionally is subject to a bounty. Recent Audits On top of inherited security, Fenix has undergone a total of 3 interrogations which we describe below:

Hats Finance Bug Bounty Contest [1]

To deploy on Blast some changes were made to our inherited contracts and all implicated code was submitted to a bug bounty contest by Hats Finance where $40,000 was offered to security researchers to identify issues within the codebase.

[Audit Repository] & [Audit Scope]

Below are a list of fixes from the bug bounty contest for Fenix:

[HIGH] Adversary can steal all bribe rewards

• GitHub Issue: hats-finance/Fenix-Finance-0x83dbe5aa378f3ce160ed084daf85f621289fb92f#2

• Status: Fixed

• Fixs commit: https://github.com/Satsyxbt/Fenix/commit/d0c94ae8a4cbd3b4b2bf20fa570ee30080654138

[HIGH] First liquidity provider of a stable pair can DOS the pool

• GitHub Issue: hats-finance/Fenix-Finance-0x83dbe5aa378f3ce160ed084daf85f621289fb92f#28

• Status: Fixed

• Fixs commit: https://github.com/Satsyxbt/Fenix/commit/945b23c6659bd1f5d22f13718eaab0460c23198c

[Medium] Protocol fees collected in PairFees are lost due to accrued yield

• GitHub Issue: hats-finance/Fenix-Finance-0x83dbe5aa378f3ce160ed084daf85f621289fb92f#36

• Status: Fixed

• Fixs commit: https://github.com/Satsyxbt/Fenix/commit/91da9fb49221603ba8b2aba7bee0d47e1524d3fe

[Low] GaugeFactoryUpgradeable.setDistribution() would revert due to incorrect access control

• GitHub Issue: hats-finance/Fenix-Finance-0x83dbe5aa378f3ce160ed084daf85f621289fb92f#23

• Status: Fixed

• Fixs commit: https://github.com/Satsyxbt/Fenix/commit/7a0443967729581983f3d7edeec8dcefadff885c

[Low] Missing events for functions that change critical parameters

• GitHub Issue: hats-finance/Fenix-Finance-0x83dbe5aa378f3ce160ed084daf85f621289fb92f#25

• Status: Partial Fixed/Not fixed

Hats Finance Bug Bounty Contest [2] This contest awarded $12,000 to interrogate the Fenix Nest, our veFNX management system that provides vote delegation, vote optimisation and rewards autocompounding. [Scope & Repository & Findings] - A total of 12 findings 1 (1 High, 3 Medium, 8 Low). Status: All issues were fixed. Code4rena Contest [3] This contest awarded $16,000 to interrogate changes to voting contracts following Nest changes. [Scope & Repository & Findings] - A total of 7 findings 1 (1 High, 6 Medium). Status: All issues were fixed.

If you identify any vulnerabilities in our code, please open a ticket directly on our Discord channel or DM us directly via Twitter and the team will be happy to discuss an appropriate resolution.