Legal Disclaimer

Summary

We reported 3 high, 4 medium, 7 low issues and made 2 advisories. The Nemo team remediated all reported issues.

Within the defined scope, we checked that administrative actions are properly access-controlled, the NEOM token is properly configured, and the claims mechanism prevents duplicate redemptions.

The repay module manages token claim distribution for the Nemo protocol. It allows admins to allocate claims for NEOM (protocol debt token) and various yield tokens (SY tokens) to users, who can later claim their allocated amounts.

The admin (AdminCap holder) has full administrative control over the repay system:

• Can create claims for any user, using any token previously registered by the admin.
  • Claim amounts are limited only in total by available contract balance or the predefined NEOM supply cap.
• Can modify existing user claims to arbitrary values (subject to the limits described above).
• Can remove any user claims.
• Can stop all user claims at any time, for any duration, while still being able to add, modify, or remove claims during that period.

Audited code

We audited the following directories at the given commit:

• repay/sources

We verified that the audited source code at commit 552877f517426a35a93904cb0abce23de4041d70 compiles to bytecode matching the on-chain package 0x575d6dfb7994eadbc3a02195b04b15b495edfd1ada9162ec7de512ac6235e4d4, published in transaction HrE9ZSzbKyn5ZJJzkgS1Mrxrx2DxyB7Tpr8UzYFicGoq. This confirms the deployed contract corresponds to the code reviewed in this audit.

Issues

Untitled

Issues

Legend

About the auditor