Infrared Finance

Smart Contract Audit of Infrared Protocol

Cantina Security Report

Organization

@Infrared-Finance

Engagement Type

Spearbit Web3

Period

-

Researchers

Cryptara

MiloTruck

DeFi Protocol Security Review of Infrared

Infrared simplifies interacting with Proof of Liquidity through innovative liquid staking products such as iBGT and iBERA, representing a significant advancement in decentralized finance infrastructure. The protocol's liquid staking mechanisms enable users to participate in network validation while maintaining liquidity of their staked assets.

This focused security review was conducted by Cantina as part of our commitment to advancing security standards in decentralized finance protocols. Our expert security researchers evaluated the protocol updates and enhancements to ensure enterprise-grade security standards for liquid staking operations and reward distribution mechanisms.

Beyond traditional security reviews, Cantina supports DeFi protocols like Infrared with comprehensive security solutions including bug bounty programs, crowdsourced security competitions, incident response, and multisig security to provide continuous protection across the full lifecycle of protocol development and deployment.

Findings

Informational

2 findings

2 fixed

0 acknowledged

Informational2 findings

  1. Minor improvements to code and comments

    State

    Fixed

    https://github.com/infrared-dao/infrared-contracts/commit/e786416f733508521b02dc9077555668ebe4bdfc

    Severity

    Severity: Informational

    Submitted by

    MiloTruck

    Context: See below.

    Description/Recommendation:

    1. InfraredV1_5.sol#L7-L9 - The Errors and UUPSUpgradeable imports are unused and can be removed.

    2. RewardsLib.sol#L434 - Typo, "infarred" -> `Infrared"

    3. RewardsLib.sol#L146 - Typo, recepient should be recipient.

    Recommendation: Fixed in commit e786416.

    Cantina: Verified.

  2. InfraredV1_5.claimExternalVaultRewards() allows anyone to claim rewards on a user's behalf

    State

    Fixed

    https://github.com/infrared-dao/infrared-contracts/pull/600/commits/69019f86ac24b5ad1de3a01b0422ef81bec51673

    Severity

    Severity: Informational

    Submitted by

    MiloTruck

    Context: InfraredV1_5.sol#L23-L26

    Description:

    InfraredV1_5.claimExternalVaultRewards() does not perform any access control checks on msg.sender. This allows anyone to claim BGT rewards on behalf of any user, as long as that user has set the InfraredV1_5 contract as its operator in a vault.

    While this does not cause any issues as the iBGT rewards claimed are still sent to the user, it exposes unnecessary risk to the contract.

    Recommendation:

    Consider including access control in claimExternalVaultRewards(). For example, only allow the function to be called by the protocol's keeper through the onlyKeeper modifier, which would be consistent with reward functionality in previous versions (e.g. claimBGTIncentives() in InfraredV1_4).

    Recommendation: Fixed in commit 69019f8.

    Cantina: Verified.