Shortly after the trading patterns of 0x17 and 0x43 had been noticed by float.capital and their preliminary investigation had been finished, byterocket was contacted by float.capital to facilitate an additional technical investigation.
byterocket is an audit provider, focused on deep technical code reviews and extensive protocol analysis for various well-known projects in the DeFi space. Due to earlier audits for float.capital, we were already very familiar with their codebase.
Our main task was to find out whether the actions of 0x17 and 0x43 had been possible due to bugs, exploits, or any other technical weaknesses or whether it was something that was within the confines of using float.capital fairly.
As per our internal process, we assigned three auditors to look into the incidents, reiterating over the smart contract code, the applied backend applications as well as any documentation provided to us by float.capital. They provided us with an in-depth document of their findings including tables of any transactions following the described pattern. While some members of our team manually went through the smart contract code that is being interacted with during the transactions, the rest analyzed the general facts. With oracles being involved, there are multiple systems and protocols involved, which need to be thoroughly analyzed and verified. Throughout the course of our investigation, we did manual as well as automated reviews of the float.capital smart contracts as well as the code of the involved oracles by Chainlink. Neither of the smart contracts showed any vulnerabilities or behaviors that would have led to the incidents. We have no reason to believe that the incidents have been caused by a smart contract bug or exploit in any of the involved smart contracts and backend systems. This is further backed by the fact that the involved accounts “only” profit in 50 - 60% of their actions - in contrast to an exploit, where >95% of the actions result in vast profits.
As we also analyzed the protocol implemented by float.capital, we did not find any flaws or problems that would have led to the incident either. As per our analysis, it is very likely that the incident is the result of an oracle arbitrage system being run by one or multiple entities, combined with no significant limitations of the float.capital protocol on a minimum time between trades - which has since been increased.
The internal hypothesis that we believe is the most likely one, is that 0x17 and Ox43 created a program that analyzes the Chainlink oracle values (before, after, and during float.capital system updates) and utilized these to perform short-term trades with a net benefit in over 50% of their actions.
As of the date of publication, the information provided in this report reflects the presently held understanding of the auditor’s knowledge of security patterns as they relate to the client’s contract(s), assuming that blockchain technologies, in particular, will continue to undergo frequent and ongoing development and therefore introduce unknown technical risks and flaws. The scope of the audit presented here is limited to the issues identified in the preliminary section and discussed in more detail in subsequent sections. The audit report does not address or provide opinions on any security aspects of the Solidity compiler, the tools used in the development of the contracts or the blockchain technologies themselves, or any issues not specifically addressed in this audit report.
The audit report makes no statements or warranties about the utility of the code, safety of the code, suitability of the business model, investment advice, endorsement of the platform or its products, the legal framework for the business model, or any other statements about the suitability of the contracts for a particular purpose, or their bug-free status.
To the full extent permissible by applicable law, the auditors disclaim all warranties, express or implied. The information in this report is provided “as is” without warranty, representation, or guarantee of any kind, including the accuracy of the information provided. The auditors hereby disclaim, and each client or user of this audit report hereby waives, releases and holds all auditors harmless from, any and all liability, damage, expense, or harm (actual, threatened, or claimed) from such use.
We store our public audit reports on IPFS; a peer-to-peer network called the "Inter Planetary File System". This allows us to store our reports in a distributed network instead of just a single server, so even if our website is down, every report is still available.
The IPFS Hash, a unique identifier of the report, is signed on-chain by both the client and us to prove that both sides have approved this audit report. This signing mechanism allows users to verify that neither side has faked or tampered with the audit.