About Diamond PAU v1.14
Sky implements two new facets integrating NFAT facilities into the PAU system. An NFAT facility is a lending venue: NFATPrimeFacet implements the lender-side flows (subscribing capital, withdrawing it, and collecting repayments), while NFATHaloFacet implements the borrower-side flows, drawing principal against issued NFATs and servicing it while tracking outstanding principal and linearly accruing interest per position.
Summary
The most critical subjects covered in our audit are functional correctness, security of assets and access control. The per position accounting tracks outstanding principal and non-compounding interest and bounds repayments accordingly. It relies on facility configuration that is not enforced on-chain, see Issue Accounting and Rate Limit Are Not Bound to the Facility Gem. Security regarding all the aforementioned subjects is high.
The general subjects covered are documentation, trustworthiness, and event handling. The codebase features extensive NatSpec and a dedicated integration document; we reported several mismatches between documentation and implementation, see NatSpec and Documentation Mismatches. The trust model's containment of a compromised allocator holds for asset flows; for data-only actions and the facility configuration the facets rely on off-chain, see Data-Only Subscribe Is Not Restricted for a Compromised Allocator and Issue Does Not Enforce That the Facility Recipient Is the ALMProxy. Security regarding all the aforementioned subjects is good.
In summary, we find that the codebase provides a high level of security. It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.