Below is the feedback and responses to the ETH Omnipool audit report from Peckshield received on the 17th June 2023. # PVEs ## PVE-001: Affected Exchange Rate Calculation From Curve Read-Only Reentrancy Fixed: [Commit](https://github.com/ConicFinance/protocol_audit/commit/f525cdd27e45a5d9ffdf2ae771aae6e1b210217c) Note that only [`isReentrantCall`](https://github.com/ConicFinance/protocol_audit/commit/f525cdd27e45a5d9ffdf2ae771aae6e1b210217c#diff-6b87fcaf857a7da7f9cd4c6c4ea156b8fd80c7ee84383db8f207d2306a651922R105) and [`reentrancyCheck`](https://github.com/ConicFinance/protocol_audit/commit/f525cdd27e45a5d9ffdf2ae771aae6e1b210217c#diff-6b87fcaf857a7da7f9cd4c6c4ea156b8fd80c7ee84383db8f207d2306a651922R165) have been added to `CurveHandlerV3`, the rest is the same as the previous `CurveHandlerV2`. ## PVE-002: Possibly Larger _cachedTotalUnderlying in ConicEthPool We do not need an exact amount, as this is only used to decide how the CNC tokens will be distributed. Therefore, we accept this potential minor imprecision. ## PVE-003: Trust Issue of Admin Keys This is the same as PVE-007 from the previous audit. Here is the answer previously provided, which still holds. We note that the `GovernanceProxy` is currently deployed here: https://etherscan.io/address/0xCb7c67bDde9F7aF0667E8d82bb87F1432Bd1d902 There are several admin functions throughout the protocol that if called from a malicious admin could negatively affect the protocol. To mitigate this risk, the admin for all contracts will be set to the `GovernanceProxy` contract. And then the admin of the `GovernanceProxy` contract will be the Conic Multisig. The `GovernanceProxy` is responsible for managing delays to contract calls, so that users have time to review changes before they are executed, limiting the control of the Multisig. - The Multisig will be able to call the requestChange function, which queues a change for execution. This change can then be executed by anyone after the set delay period. - In addition, a Veto (or emergency) multisig will exist, which consists of core members from other protocols within the Curve ecosystem. This multisig is able to 'veto' any pending change. This is useful in the event that a malicious change is proposed, then it can be cancelled before the delay ends. This can be done by calling the `cancelChange` function. - The delays for each call are set for the function selectors, and updated via `updateDelay`. We believe this should be sufficient to mitigate this risk. # Other comments ## Curve LP oracle > I'd like to ensure that the oracles for Conic will ensure the Curve pools being interacted are balanced for the user deposit / withdraw operations. Otherwise, there is a security issue when depositing into/withdrawing from imbalanced pools. We do ensure that the Curve pools are balanced for the user deposits and withdrawals. This is handled in the CurveLPOracle contract on line 71. The flow for this being called is as follows: - The ConicPool needs to price a Curve LP Token for a deposit or withdrawal. And so it calls the GenericOracle.getUSDPrice function. - The GenericOracle.getUSDPrice function determines that this is an LP Token for a Curve pool, and so it calls the CurveLPOracle.getUSDPrice function. - The CurveLPOracle.getUSDPrice function checks that the Curve pool is balanced by calling CurvePoolUtils.ensurePoolBalanced