Summary
The most critical areas addressed in our audit are asset solvency, resistance to manipulation, and the precision of arithmetic operations. Security regarding asset solvency is high. In the first version (out of 5versions), an empty orderbook could lead to bad debt due to filling of orders at extreme prices, see High Priced Buy Order on Empty Orderbook Can Generate Bad Debt. The margin system has been revamped since version 2, fully resolving the issue by restricting the range in which orders can be created and enabling the admin to purge orders that fall outside this range. Resistance to price manipulation is good after the maximum allowable changes in the TWAP price have been lowered. TWAP instability could also be a concern if the spread is high, though it can be mitigated by Pendle's intention of lowering the spread and increasing the TWAP duration. Security regarding arithmetic operations is high. The rounding is performed in favor of the system and calculations are done with high precision.
General topics covered include code complexity, documentation and decentralization. Security regarding code complexity is good. The codebase is well-structured, though it makes extensive use of inline assembly, which bypasses many built-in safety checks. Security regarding documentation is high, with both a whitepaper and a specification available. Decentralization is improvable. Risk operations that are required to maintain the economic security of the protocol, such as order cancellation, order purging, and liquidations, are permissioned and can only be performed by whitelisted accounts. Users must trust the admin to perform these obligations at all times for the protocol to remain solvent.
In summary, we find that the codebase provides a good level of security. However, the settlement process, involving FTags, TickNonceData, MatchEvent, Quaternary Indexed Trees, and optimizedsorting (LibOrderIdSort), is exceptionally complex. While designed for efficiency, such complexity significantly increases the surface area for subtle bugs related to state consistency, off-by-one errors, or incorrect handling of edge cases. The margin logic is also mathematically complex, and incorrect mathematical modeling of the system, which is out of scope of this review, might lead to insolvency of certain users. The risks are mitigated by the upgradeable and pausable nature of the contracts. We recommend that Pendle implements extensive monitoring of the protocol to swiftly react in case of anomalies. The security of the system also vitally depends on the correct selection of market parameters, such as TWAP time window, maximum rate deviation, margin factors, and more. It is the responsability of Pendle to choose parameters that ensure the security of the system.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Pendle Boros Markets
Pendle implements Pendle Boros, a marketplace for Interest Rate Swaps based on oracle-reported rates and an on-chain orderbook, allowing cross-margined markets and leverage.
We were thoroughly impressed by the quality of work ChainSecurity delivered. The team demonstrated a deep understanding of our system, and their thorough, detail-oriented approach truly amazed us. We were equally impressed by their flexibility and professionalism in adapting to unforeseen circumstances. We’re very much looking forward to future collaborations.
Long Vuong Hoang, Head of Engineering