Skip to content

[Audit] Summary - Nemesis Defifa lifecycle/state audit #149

Open
Open
[Audit] Summary - Nemesis Defifa lifecycle/state audit#149
Labels
audit
@mejango

Description

@mejango
mejango
opened on May 18, 2026

Audit seed

Nemesis fresh round / defifa / all Solidity in src/ and script/ / lifecycle-state coupling, governance, settlement.

Scope covered

  • defifa/src/**/*.sol
  • defifa/script/**/*.sol
  • Dependency-aware boundary context from nana-core-v6, nana-721-hook-v6, nana-address-registry-v6, and nana-permission-ids-v6 audit instructions.

Passes run

  • Phase 0 recon and hit list.
  • Feynman full pass over all scoped Solidity.
  • State inconsistency full pass enriched by Feynman suspects.
  • Targeted Feynman re-interrogation of new state gaps.
  • Targeted State re-analysis until convergence.
  • Hybrid verification for the surviving finding.

Findings submitted

  1. [Audit] [MEDIUM] Zero-timeout Defifa games can lock if only one tier participates #148 - [Audit] [MEDIUM] Zero-timeout Defifa games can lock if only one tier participates

Verification performed

forge test --match-path 'test/audit/CodexNemesisSingleParticipatedTierTimeout.t.sol' --match-test test_codexNemesis_singleParticipatedTierZeroTimeoutLocksGame -vvv
[PASS] test_codexNemesis_singleParticipatedTierZeroTimeoutLocksGame()

forge build --deny notes
Compiler run successful!

The temporary PoC test was not retained in the repo after verification.

Ecosystem observations

  • The highest-risk local boundary is not a raw math error; it is the mismatch between launch-time configuration assumptions and runtime participated-tier state.
  • The BWA/quorum design is internally consistent for multi-sided participation, but it requires a live fallback when participation collapses to a single outcome.
  • Deployment scripts were included in scope. No verified deploy-script finding was retained.

Zero-finding areas after self-review

  • Commitment payout failure accounting: catch path resets fulfilledCommitmentsOf.
  • Reserve beneficiary validation: delegated store validation prevents malformed reserve tier setup.
  • Cash-out burn ordering on NothingToClaim: revert rolls back the burn path.
  • Typeface deployment wiring: script checks configured address and code length before deploying.

Metadata

Metadata

Assignees

No one assigned

    Labels

    audit

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions