Arcadia’s Partnership with Renascence Labs

Arcadia has partnered with Bytes032 and the Renascence Labs team for the second security audit of the Arcadia Protocol V2. You can access the full audit report here.

For more information on our first security review, read here.

The protocol

Arcadia is a set of decentralized and non-custodial protocols built to serve as a novel standardized infrastructure for managing collateralized positions on blockchains.

Arcadia V2 enables users to construct and execute onchain financial operations that were not possible before. For example, a liquidity provider on an AMM would be able to collect trading fees while staking one of the paired assets in a farm to collect staking rewards too. They could hedge risks by borrowing one of the underlying assets or choose to enhance their returns using leverage while still accruing every layer of underlying yield (trading fees + staking fees + rewards). All these things happen in a single transaction and from a single account/position.

Why we chose to work with Bytes032

When looking for someone to handle the second security review of Arcadia V2, we decided to work with a few solo auditors to find the best fit. Bytes032 quickly stood out as the obvious choice. We had a good experience working with him on a smaller audit before. His expertise, the quality of his past work, and how well he knew our protocol made him the perfect pick for us.

Just before the audit began, Bytes032 asked if he could bring more people into the team. We didn’t know it then, but he was starting to form a team with other skilled solo auditors to work under a new name: Renascence Labs.

The team put together for our audit had a lot of experience with different kinds of projects, like leverage trading protocols, DEXs, and lending protocols. It included Bytes032, known for his work with Lybra, EigenLayer and Chainlink (contest); HollaDieWaldfee, a top auditor at C4 and senior at Sherlock known as “roguereddwarf”; and Alexxander. It was rare to have such a talented group working on one audit.

We planned the audit for December going into January 2024 and even added an extra week to the schedule for the holidays. But that extra time wasn’t needed. The Renascence team worked through the holidays and weekends, showing their high skill level and dedication.

Collaborating with the Renascence team was an exceptionally rewarding experience. Their integration felt seamless, as if they were an extension of our own team. Through regular brainstorming sessions, swift calls to explore potential issues, and overall stellar communication, they not only elevated the audit process but also enriched our team’s dynamics.

The Scope

The scope includes a total 2.596 nsloc, comprising the Arcadia Accounts V2 repo and the Arcadia Lending V2 repo. Both repos comprise full coverage of the Arcadia V2 code.

• Arcadia Accounts V2: https://github.com/arcadia-finance/accounts-v2/commit/4f4057d4ebafb0fbf739cbf627ff397d0e569c19
• Arcadia Lending: https://github.com/arcadia-finance/lending-v2/commit/03f930c55094582cbb11ff25791a3e560bfa917c

Highlights

We will briefly discuss finding [M-2] Zero account value renders liquidations impossible.

This finding exposed an edge case in our liquidation mechanism, specifically within the Liquidator.sol contract. It was discovered that in rare instances where collateral values dropped below a certain threshold, it triggered a division by zero error. This error made it impossible to liquidate accounts with extremely low or zero collateral value, potentially leaving bad debt unresolved and compromising the integrity of the platform.

It also further highlighted the need to ensure that all liquidations be settled, since junior Tranches are locked for withdrawals and deposits during auctions to prevent front-running both good and bad auction resolutions.

Mitigation

By refining the Liquidator.sol contract, we introduced checks to gracefully handle cases of zero collateral value. The fix in the liquidation process ensures that all liquidations can proceed smoothly without interruption, regardless of collateral value or state of the Account.

The complete fix we introduced not only prevent the division by zero error, but also accounts for situations where some collateral is, for example, blacklisted by the token issuer and thus collateral asset transfers may fail. It introduces a fallback mechanism where auctions that fail to end successfully (”for whatever reason”) are transferred as a whole to a new role on the Creditor, dubbed “the recipient”. Should such a situation occur, the recipient will receive the entire Account without the need to transfer individual assets. The leftover debt will be accounted as bad debt towards the liquidity pool though. However, the recipient can later sell the individual assets and donate the proceeds towards the liquidity pool to offset the bad debt incurred.

This is the second of multiple audits the protocol is undergoing prior to launch. Arcadia places, and will continue to place, the highest priority on security.

To stay up to date with Arcadia, follow @ArcadiaFi on X and join the Discord.