The Parrot team has upgraded the protocol Program to add redundant security enhancements. The team went through multiple rounds of reviews for this upgrade, and no new issue was discovered.
Here are the enhancements we introduced.
- Locked down creation of new debt types and new vault types.
This decreases the protocol attack surface by preventing attackers from creating “fake accounts” to confuse the protocol.
- We added the feature to lower the debt-ceiling by burning excess PAI supply. This minimizes the amount of PAI controlled by the protocol, and thus limits potential losses if a hack should happen.
The Program does not have minting authority, and therefore even in the event of a hack, only the remaining debt ceiling is at risk. The debt-ceiling is a HARD limit. Infinite mint of PAI is impossible.
Previously there was no way to lower the debt-ceiling.
- The protocol now restricts repayment and collateral addition only to the vault owners
Previously the program allowed anyone to repay a debt position or to increase the collateral for a vault. As these operations increase the vault health, it was safe for anyone to do it. The intention for this was to build an automatic vault protection feature.
This is restricted until we have actual features that demand otherwise.
- The protocol now restricts unstaking and minting so that the destination addresses must be the associated token accounts of the vault owner.
Previously for unstake and minting, it was possible for the vault owner to specify a different destination wallet other than the vault owner. This was intended as a mechanic to enhance protocol composability.
While this flexibility does open a potential attack vector where in the scenario of a frontend compromise, the malicious UI could direct the vault owner to unstake & mint to a different wallet.
But if UI is compromised, any wallet could be trivially drained anyway regardless of any on-chain security measures.
- Added additional redundant security checks for cases that are not strictly necessary.
Protocol security is a not a static process. Passing audits doesn’t mean that “security is done”. As the threat environment evolves, and best practices improves, there are always more to do.
Only the paranoid survive.
The Parrot Team will conduct security reviews on a periodic basis, to find opportunities to decrease protocol risk exposures, and adding additional security layers.
Funds are #safu.