Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • farcana
  • [SCA] Farcana / Token / Dec2023
Farcana logo

Farcana

Audit name:

[SCA] Farcana / Token / Dec2023

Date:

Dec 24, 2023

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We thank Farcana for allowing us to conduct a Smart Contract Security Assessment. This document outlines our methodology, limitations, and results of the security assessment.

Farcana integrates blockchain technology with traditional game development for a seamless, immersive gaming experience.

titlecontent
PlatformEVM
LanguageSolidity
TagsERC-20, Vesting
Timeline12/12/2023 - 29/12/2023
Methodologyhttps://hackenio.cc/sc_methodology

    Last Review Scope

    Repositoryhttps://github.com/farcana/smart-contracts
    Commit3a8a187

    Audit Summary

    Total9.4/10
    Security Score

    10/10

    Test Coverage

    0%

    Code Quality Score

    9/10

    Documentation Quality Score

    6/10

    12Total Findings
    12Resolved
    0Accepted
    0Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for Farcana
    Audited ByIvan Bondar
    Approved ByPrzemyslaw Swiatowiec, Ataberk Yavuzer
    Websitehttps://www.farcana.com
    Changelog29/12/2023 - Final Report

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for Farcana
      Audited By
      Ivan Bondar
      Approved By
      Przemyslaw Swiatowiec, Ataberk Yavuzer
      Website
      https://www.farcana.com
      Changelog
      29/12/2023 - Final Report

    System Overview

    Farcana integrates blockchain technology with traditional game development for a seamless, immersive gaming experience. As the first project of its kind, our flagship multiplayer online game, Farcana, leverages web3 technologies. The game has a fully player-controlled economy, marketplace, and asset ownership.

    The files in the scope:

    • FarcanaToken — is an ERC20 token. Upon deployment, it is initialized with a specified name, symbol, decimal count, total supply, and an owner address. The token supply is predetermined and fixed, with no provisions for minting additional tokens post-deployment. However, it includes a burn function, allowing the owner to reduce the total supply by burning tokens.

    • FarcanaVesting —  token vesting mechanism designed for the Farcana ecosystem. It allows for the creation of multiple vesting schedules per beneficiary, enabling the controlled and gradual release of tokens. Key features include:

      • Flexible Vesting Schedules: Each beneficiary can have multiple vesting schedules, each with its own cliff, duration, start time, and total amount of tokens to be released.

      • Claim Functionality: Beneficiaries can claim their vested tokens once they are due for release.

      • Substantial Initial Release: The contract is designed such that a significant portion of tokens becomes claimable immediately after the cliff period, with the remaining amount vested linearly over the rest of the duration.

    Privileged roles

    • FarcanaToken.sol:

      • Owner:

        • Capable of burning tokens from their own holdings.

        • Authorized to transfer ownership of the contract.

    • FarcanaVesting.sol:

      • Owner:

        • Authorized to set the TGE (Token Generation Event) timestamp.

        • Empowered to add vesting schedules for any beneficiary.

        • Able to change the beneficiary address for existing vesting schedules.

        • Can access and review all data related to a specific beneficiary's vesting schedule.

    Executive Summary

    Documentation quality

    The total Documentation Quality score is 6 out of 10.

    • Functional requirements are not provided.

      • Overall system requirements are provided.

      • No roles description.

      • No Tokenomics.

    • Technical description is not provided.

      • NatSpec is partially missing.

    Code quality

    The total Code Quality score is 9 out of 10.

    • The development environment is not configured.

    Test coverage

    Code coverage of the project is 0.0% (branch coverage).

    • No tests.

    Security score

    Upon auditing, the code was found to contain 0 critical, 0 high, 2 medium, and 3 low severity issues, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the Customer's smart contract yields an overall score of 9.4. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Risks

    Beneficiary Change Risk:

    • The FarcanaVesting contract grants the owner the authority to modify the beneficiary address of any existing vesting schedule. While this offers flexibility, it also introduces a significant risk factor. If the owner mistakenly inputs an incorrect address or in the event of a compromise of the owner's keys, the tokens intended for one beneficiary could be erroneously or maliciously redirected to another address.

    Findings

    Code
    Title
    Status
    Severity
    F-2023-0125Unrestricted Authority to Alter Vesting Beneficiary Addresses
    fixed

    Medium
    F-2023-0124Insufficient Parameter Validation in addVestingSchedule() Function of Vesting Contract
    fixed

    Medium
    F-2023-0128Non-Utilization of SafeERC20 for Token Transfers in Vesting Contract
    fixed

    Low
    F-2023-0127Inappropriate Mutability of tgeTime in Vesting Contract
    fixed

    Low
    F-2023-0126Single-Step Ownership Transfer
    fixed

    Low
    F-2023-0135Missing zero address checks
    fixed

    Observation
    F-2023-0134State variables default visibility
    fixed

    Observation
    F-2023-0133Lack of Event Emissions in Key Functions of Vesting Contract
    fixed

    Observation
    F-2023-0132Redundant SafeMath
    fixed

    Observation
    F-2023-0131Floating Pragma
    fixed

    Observation
    1-10 of 12 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts Hacken is using a risk-based approach that considers the potential impact of any vulnerabilities and the likelihood of them being exploited. The matrix of impact and likelihood is a commonly used tool in risk management to help assess and prioritize risks.

    The impact of a vulnerability refers to the potential harm that could result if it were to be exploited. For smart contracts, this could include the loss of funds or assets, unauthorized access or control, or reputational damage.

    The likelihood of a vulnerability being exploited is determined by considering the likelihood of an attack occurring, the level of skill or resources required to exploit the vulnerability, and the presence of any mitigating controls that could reduce the likelihood of exploitation.

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/farcana/smart-contracts
    Commit0c8f5193b9249d5b02fdb57de1ecdbf4ebe30dbb
    WhitepaperN/A
    RequirementsNatSpec
    Technical RequirementsN/A

    Contracts in Scope

    contracts
    FarcanaToken.sol - contracts/FarcanaToken.sol
    FarcanaVesting.sol - contracts/FarcanaVesting.sol

    Disclaimer