Mage Labs DEX Smart Contract Security Audit Report
Audit Overview
- Date: January 28th, 2025
- Client: Mage Labs - Advanced DEX Platform (magelabs.xyz)
- Auditor: Audita Security (audita.io)
- Network: Solana
- Language: Rust
- Audit Period: January 20th - January 28th, 2025
- Audit Commit: ae421fc13a1c83ad5853d702d00efaf0000a6abd
Severity Summary
| Severity | Count | Status |
|---|---|---|
| Critical | 0 | - |
| High | 2 | [RESOLVED] |
| Medium | 2 | [RESOLVED] |
| Low | 3 | [RESOLVED] |
| Informational | 7 | [RESOLVED] |
High Severity Findings
SNAP-01: Incorrect Deposit Function Token Calculation
- The calculations for input tokens in the deposit function are being rounded in wrong direction
- Impact: Malicious users could mint LP shares for free, effectively stealing funds from other liquidity providers
- Recommendation: Change rounding direction from
RoundDirection::FloortoRoundDirection::Ceilingin deposit calculations
SNAP-02: Incorrect Constant Product Calculations
- Swap calculations include accumulated fees in token amounts
- Impact: Constant product calculations will be incorrect due to inclusion of fee amounts
- Recommendation: Use total token amounts without swap fees for constant product calculations
Medium Severity Findings
SNAP-03: Insufficient TWAP Observation Window
- Fixed-size circular buffer (100 observations) limits historical price data to 25 minutes
- Impact: TWAP calculations may fail to include intended time frame leading to price inaccuracies
- Recommendation: Increase observation buffer size to 150-200 entries
SNAP-04: TWAP Update Interval Mismatch
- 15-second update interval is too long for Solana’s 400ms block time
- Impact: Price updates may be delayed affecting trading accuracy
- Recommendation: Reduce update interval to match Solana’s block time characteristics
Resolution Status
All identified issues have been addressed and implemented in the current version of the Mage Labs DEX. The security improvements include:
- Enhanced Calculation Accuracy: Proper rounding directions implemented
- Improved TWAP System: Extended observation window and optimized update intervals
- Fee Handling: Corrected constant product calculations
- Security Hardening: Additional safeguards against potential exploits
Ongoing Security
Mage Labs maintains a commitment to security through:
- Regular audit cycles
- Community bug bounty programs
- Continuous monitoring systems
- Transparent security reporting
Key Recommendations
- Fix high severity deposit function rounding issue
- Correct constant product calculations to exclude fees
- Increase TWAP observation buffer and reduce update interval
- Implement deadline checks in swap functions
- Update vulnerable dependencies
- Add comprehensive integration testing suite
Dependencies Requiring Updates
- curve25519-dalek: RUSTSEC-2024-0344
- ed25519-dalek: RUSTSEC-2022-0093
Overall Assessment
The Mage Labs DEX smart contracts have undergone comprehensive security review. All Medium severity findings have been successfully resolved, and the remaining High severity items are being actively addressed. The protocol demonstrates solid security fundamentals with appropriate safeguards in place. Once all identified concerns are fully remediated, the smart contracts are expected to operate safely with minimal risk to the protocol and its users.
Disclaimer
This audit does not provide absolute guarantees of security. Multiple independent audits and ongoing security practices are recommended. Smart contract platforms and their programming languages are not immune to potential vulnerabilities.