Summary
The most critical subjects covered in our audit are the correct instantiation of all system components, the migration logic of the legacy system, and the upgradeability, configurability, and liveness of the system. In the current implementation, neither the current system (Shutting down a market configurator) nor the legacy system can be fully configured (Legacy CreditManager cannot be fully configured). The migration of the legacy system is underspecified as it's not known which components of the legacy system will immediately be upgraded to newer versions. Moreover, the liveness of the system can be harmed in some cases (Reverting proposals lock cross-chain governance). Finally, upgrading some components of the system is not possible (Factory migration will fail).
The general subjects covered are functional correctness, gas consumption, testing, and documentation and specification. Testing was very limited in the first iteration of the report. This led to a substantial number of functional correctness issues (Timelock transactions can be executed before the ETA) that could have been prevented. Testing was significantly improved in subsequent versions. Some of the operations executed by Governance have very high gas requirements. Documentation is sufficient. However, some parts are underspecified (Signatures On Different Chains).
In summary, we find that the system provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Gearbox Permissionless Smart Contracts
Gearbox implements a new governance system which aims to enable different risk curators to run their own gearbox markets. The new system allows the migration of the legacy system into the new system.
“Gearbox is a generalized leverage protocol: it allows anyone to take leverage in a DeFi-native way and then use it across various DeFi protocols. You take leverage with Gearbox and then use it on other protocols you already love. For example, you can leverage trade on Uniswap, leverage farm on Yearn or Curve and Convex, make complex delta-neutral strategies involving options and derivatives, get Leverage-as-a-Service for your structured product doing complex positions, etc.
The protocol has two sides to it: passive liquidity providers who earn higher APY by providing liquidity; – and active traders, farmers, or even other protocols who can borrow those assets to trade or farm with x4+ leverage.”
ChainSecurity has been an invaluable partner for us since the initial version of Gearbox. Their team pays close attention to every detail, prioritizing quality over quantity by carefully selecting the best auditors. This ongoing collaboration has transformed them into true partners in our journey, helping us develop the protocol safely.
0xMikko, Inventor of Gearbox Protocol