Arcadia’s Partnership with Trust Security

Arcadia has partnered with Trust Security for a first security review of the Arcadia Protocol V2. You can access the full audit report here.

The protocol

Arcadia is a set of decentralized and non-custodial protocols built to serve as a novel standardized infrastructure for managing collateralized positions on blockchains.

Arcadia V2 takes advantage of the composability of DeFi to combine different protocols in interesting ways to maximize yields while providing best-in-class execution that streamline the way users interface with underlying protocols. Users can open a single position and deposit assets in different pools and farms simultaneously, thereby stacking multiple layers of yield from multiple protocols together, boosting their returns and benefiting from yield diversification. Arcadia will automatically suggest rebalancing actions into the highest-yielding opportunities available according to each individual’s preferences and constraints to make sure you are continuosly earning the highest return available from your assets. These are made possible through several innovations:

• Arcadia Smart Accounts enable streamlined asset management by batching multiple transactions together and allowing flash actions.
• The Yield Optimizer helps users in constructing and rebalancing portfolios and can give personalised recommendations.
• The Multicall Calldata Generator leverages an intent-based architecture, and translates the users selected portfolio into a set of on-chain instructions which after a user’s signature are executed by the Account in a single transaction.

Why we chose Trust

After carefully vetting and assessing auditors, 3 main factors helped us decide on Trust for the first security review of Arcadia V2:

1. Experience auditing similar protocols: If you look at the audit portfolio of Trust Security one thing is clear — they have a lot of experience auditing novel DeFi primitives, among others, Smilee Finance, Lyra, Rysk, Olympus, and even Optimism.
2. We got to choose which auditors from the team did the review: While brand name is okay, we think what ultimately matters the most is the specific individuals who will be doing the audit. In this case, we chose Lambda and 0xladboy from the Trust team because of their track record (17 top 5 rankings in C4 competitions and 12 top 5 finishes in the last months, respectively), their specialties (finding creative edge cases, math heavy and DeFi primitives), their experience (over 50 completed audits combined), and their reputation (member of the 2016 Swiss national CTF team at the European cyber security championship and top 10% Sherlock Senior auditor, respectively).
3. Referrals and background checks: We contacted multiple protocols that have been audited by Trust recently, and in particular those that had been audited by the auditors we had selected. The overwhelming majority only had excellent things to say about their experience with Trust, the quality of the review and the high-frequency of interaction during the audit process.

The Scope

The scope includes a total 2.596 nsloc, comprising the Arcadia Accounts V2 repo and the Arcadia Lending repo. Both repos comprise full coverage of the Arcadia V2 code.

• Arcadia Accounts V2: https://github.com/arcadia-finance/accounts-v2/commit/4f4057d4ebafb0fbf739cbf627ff397d0e569c19
• Arcadia Lending: https://github.com/arcadia-finance/lending-v2/commit/03f930c55094582cbb11ff25791a3e560bfa917c

Audit Highlight

In this short post we highlight finding M-3: Invalid oracle price can be consumed.

The Trust team pointed out a few points in our Oracle Modules that could be improved and suggested some best practises related to Chainlink integrations on L2s.

In the original code, the Arcadia Protocol relied on external keepers (MEV) to decommission an oracle in a permissionless manner if its response became “invalid”. An invalid oracle could be a stale oracle, outside of its min/max value or it would revert on fetching the latest data.

The Trust team highlighted that according to best practises, every rate check should check the above information. On top, the protocol should be able to handle an L2 sequencer becoming offline.

Mitigation

The following improvements were made to fix this issue, in accordance with the best practises recommended by Trust and Chainlink:

On every ChainlinkOracle.latestRoundData(), we perform the following checks:

• roundId must be higher than zero
• the returned answermust be higher than zero
• the latest updatedAt cannot be longer ago than a pre-set cutOff for that specific oracle
• the latest updatedAt cannot be more recent than the current block.timestamp

Next to that, we added a new modifier in the Registry sequencerNotDown which checks whether the sequencer hasn’t been down in the last gracePeriod. Doing so protects both lenders and Account owners. Oracles prices will be updated again once the sequencer is back online, preventing users to take out liabilities against wrongly-priced assets. It will also give Account owners the chance to top up their collateral before liquidations start again. Since risk assumptions of different creditors can vary, each Creditor is able to set their own gracePeriod- essentially decreasing the trust any generic Creditor must put on the Arcadia team!

This is the first of multiple audits the protocol is undergoing prior to launch. Arcadia places, and will continue to place, the highest priority on security.

To stay up to date with Arcadia, follow @ArcadiaFi on X and join the Discord.