Indigo Protocol v1: Summary of MLabs Security Audit Report


Audit Summary

  • 3 were deemed critical;
  • 4 were deemed medium;
  • 6 were deemed low; and
  • 4 had no severity level

Audit Findings

  • Version Registry: ADA is locked in a UTxO to act as a read-only upgrade endpoint. Data stored at the Version Registry is used to process the upgrades for the protocol, so they must be stored for an indefinite period of time.
  • Poll Manager — There is an edge case in which the Poll ADA could be locked indefinitely, which may occur if the poll owner does not retrieve their ADA before the expiration period. This is unlikely as a poll owner will have 7 days to withdraw the funds they’ve deposited if the proposal has been passed and is incentivized to do so or else face the loss of their ADA.
  • Stability Pool — The Stability Pool validator has a UTxO called “EpochToScaleToSum” that acts as a read-only endpoint for the Stability Pool in certain edge cases where the Stability Pool is depleted or a large liquidation took place against it. When the epoch or scale of a Stability Pool is updated, the protocol sometimes utilizes a read-only UTxO that is then referenced for calculations of iAsset/ADA rewards.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Indigo is a decentralized synthetic asset issuance protocol built on Cardano