How QuillAudits Revamped Voltage Finance's Reward Mechanism

Voltage Finance is Empowering DeFi Innovations

Voltage Finance is an innovative DeFi protocol enhancing yield farming, swapping, and staking experiences for its community. Built on the Fuse Network blockchain, it focuses on optimized liquidity solutions and diverse staking pools, empowering users to maximize returns with a seamless experience. The platform aims to be inclusive and accessible, catering to users of all experience levels, and establishing itself as a trusted destination for leveraging DeFi opportunities.

Addressing Security Challenges within Voltage Finance Protocol

The Voltage Finance Protocol, like any advanced DeFi platform, faced intricate security concerns, such as potential exploits in reward distribution mechanisms and liquidity management. Our audit emphasized identifying critical areas like unauthorized access, logic flaws, and reentrancy vulnerabilities, ensuring the protocol's robustness and reliability.

Voltage Finance Protocol’s Journey Through Our Audit Process

1. Information Gathering

• Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
   
• Obtained a clear understanding of the Voltage Finance V3 platform's functionality and intended user interactions.
   
• Discussed client concerns and specific areas of focus for the audit.
  
  
  2. Manual Code Review:
   
• Conducted a line-by-line review of the smart contract code, focusing on:
   
  • Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
     
  • Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
     
  • Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.
     

3. Functional Testing:

• Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
   
• Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
  
   

4. Automated Testing:

• Employed static analysis tools like QuillShield to identify vulnerabilities through automated code scanning.
   
• Utilized symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.
   
• Integrated unit tests are written by the Voltage Finance V3 team to verify specific contract functions and their behaviour.
   

5. Reporting & Remediation:

• Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
   
• Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
   
• Collaborated with the Voltage Finance V3 Protocol team to prioritize and address the identified issues.
   
• Conducted additional verification testing after vulnerability fixes were implemented.

QuillAudits' Strategic Approach to Voltage Finance’s Security Audits

We adopted a combination of white-box and black-box testing techniques to ensure thorough coverage of all potential attack vectors. Our collaborative process with the Voltage Finance team allowed for clear communication and effective resolution of identified vulnerabilities.
 

Comprehensive Audit Discoveries and Remediation Strategies

Our security audit of the Voltage Finance Protocol uncovered several vulnerabilities that could have been exploited to manipulate rewards, access funds, or alter key parameters:

Our thorough and extensive audit uncovered 2 critical vulnerabilities.

Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:

Reward Value Overwriting Leads to Incorrect Reward Distribution During Harvest

Discovery:

In the harvestOperation function of the MasterChefV4 contract, there's a critical issue with how rewards are calculated and distributed. Voltage Finance offers two types of rewards:

• Volt tokens (primary reward)
• Fuse tokens (secondary/double reward)

These rewards are represented by two variables:

• reward: Represents the amount of Volt tokens to be rewarded
• doubleRewards: Represents the amount of Fuse tokens to be rewarded

The problem occurs when the reward variable is overwritten with the value of doubleRewards in the MasterChefV4 contract.

Impact:

This overwriting causes users to receive an incorrect amount of Volt tokens as rewards. Specifically, users end up receiving the amount of Fuse tokens (stored in doubleRewards) as Volt tokens, instead of the originally calculated Volt token reward. This leads to significant inaccuracies in reward distribution and affects user returns.
 

Incorrect Transfer of Double Reward to User

Discovery:

In the MasterChefV4 contract, there's an error in how the double reward (Fuse tokens) is transferred to users. The problem lies in using the wrong variable when transferring the double reward.

Impact:

Due to this error, the specified _to address receives an incorrect amount of Fuse tokens. Instead of receiving the intended doubleReward amount, they are mistakenly given the value stored in the reward variable (meant for Volt tokens). This results in the misallocation of rewards and undermines the integrity of the protocol’s reward mechanism.
 

Remediation Strategies
 

1. Fixing Reward Value Overwriting
 

• Code Review and Analysis: We conducted a thorough review of the harvestOperation function to understand the logic behind reward calculation and distribution. This analysis highlighted the point at which the reward variable was being incorrectly overwritten by the doubleRewards value.
   
• Variable Separation: Our team refactored the code to ensure that the reward variable remains intact and solely represents the amount of Volt tokens. This involved separating the calculations for Volt and Fuse token rewards to prevent any overwriting of values.
   
• Testing and Validation: Comprehensive unit tests were created to validate that the rewards calculated for Volt tokens are distinct from those for Fuse tokens. This ensured that users receive the correct amounts of both tokens during the harvest operation.
   

2. Correcting the Transfer of Double Reward to Users
 

• Identification of Transfer Logic Error: We pinpointed the specific lines of code responsible for transferring the double reward (Fuse tokens) to users, which incorrectly referenced the reward variable instead of doubleRewards.
   
• Code Modification: The transfer logic was corrected by updating the transfer function to ensure that it accurately references the doubleRewards variable for the distribution of Fuse tokens. This change guarantees that the correct amount of tokens is sent to the specified _to address.
   
• Rigorous Testing: Following the code modifications, We conducted rigorous testing, including integration tests, to confirm that the rewards were correctly allocated and transferred. This testing phase involved simulating various scenarios to ensure consistency and accuracy in the reward distribution process.
   

Impressed by our findings and recommendations, the Voltage Finance developers promptly addressed all identified vulnerabilities.

Through our collaborative efforts, the Voltage Finance Protocol is now significantly more secure, ensuring the protection of user funds.

The Voltage Finance V3 Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Voltage Finance V3 Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.