Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Circuit DAO>High findings>Unverified ,MIN_DEPOSIT, value
GeneralOverview
Findings
Critical (4)
High (7)Incorrect STATUTES_MAX_IDX for statutes mutationMistakes in auction-collateral calculationsOutlier resolution--logic bugsUnverified solution parameters in announcer_registry could lead to loss of rewardsUnverified solution parameters in recharge_win could lead to loss of tokensMissing timestamp validation in collateral vaultUnverified MIN_DEPOSIT value
Medium (1)
Low (1)
Informational (3)
DiscussionVote aggregationTreasury-ring correctness relies on governanceConfusion of atom-announcer identityOracle-resolution votingTest code coverage
DesignDesign overviewThe statues coinGovernanceAtom announcerAnnouncer registryOracleTreasuryRecharge auctionSurplus auctionCollateral vaultSavings vaultBYC and CRT
Audit ResultsAssessment Results
Category: Business Logic

Unverified MIN_DEPOSIT value

High Severity
Low Impact
Low Likelihood

Description

The atom announcer verifies the following parameters during the launch:

(assert
  (= DEPOSIT 0)
  (= DELAY 0)
  (= COOLDOWN_START 0)
  (= APPROVED 0)
  (= ATOM_VALUE 0)
  (= TIMESTAMP_EXPIRES 0)
  (= LAST_PENALTY_INTERVAL 0)
  (list ASSERT_MY_PARENT_ID LAUNCHER_ID)
)

However, it does not verify the MIN_DEPOSIT parameter, which should not be zero or a low value. As the atom announcer can only be approved via the governance, and hence the parameter can only be set via the governance, it is important to verify the validity of the parameter.

Impact

If the MIN_DEPOSIT value is low, the announcers could set their deposit to a very low value, and thus their penalty amount would be quite less. These announcers would be able to misbehave without penalty. This is not necessarily an issue because announcer approval passes through governance — which can verify their correct configuration. But this creates additional burden off chain, when the necessary checks could easily be done in the puzzles.

Recommendations

We recommend verifying the MIN_DEPOSIT amount in the atom_announcer puzzle.

Remediation

This issue has been acknowledged by Voltage Technologies Ltd., and fixes were implemented in the following commits:

Zellic © 2025Back to top ↑