Audit name:
[SCA] OpenEden / Vault / Jan2024
Date:
Feb 16, 2024
Table of Content
Introduction
We express our gratitude to the OpenEden team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Openeden, is an project that manages the TBILL stable ERC20 tokens. Users can deposit USDC to mint TBILL tokens, entitling them to redeem assets in proportion to their TBILL holdings
| title | content |
|---|---|
| Platform | EVM |
| Language | Solidity |
| Tags | ERC20 stable coin. |
| Timeline | 31/01/2024 - 09/02/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/OpenEdenHQ/openeden.vault.v2.audit/→ |
| Commit | d09f86cb9827242dc6e76033a60c7a464aebe27d |
Review Scope
- Commit
- d09f86cb9827242dc6e76033a60c7a464aebe27d
Audit Summary
10/10
89.42%
10/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for OpenEden |
| Audited By | Maksym Fedorenko |
| Approved By | Grzegorz Trawinski |
| Website | https://openeden.com/→ |
| Changelog | 05/02/2024 - Preliminary Report; 09/02/2024 - Second Report |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for OpenEden
- Audited By
- Maksym Fedorenko
- Approved By
- Grzegorz Trawinski
- Website
- https://openeden.com/→
- Changelog
- 05/02/2024 - Preliminary Report; 09/02/2024 - Second Report
System Overview
Openeden, is an project that manages the TBILL stable ERC20 tokens. Users can deposit USDC to mint TBILL tokens, entitling them to redeem assets in proportion to their TBILL holdings. TBILL tokens are stored in whitelisted wallets, and the project's code governs deposit, withdrawal, and management functions, ensuring proper asset handling. It is built with the following contracts:
Controller — The Controller contract provides mechanisms for pausing and unpausing specific operations (deposit and withdraw) in a system.
FeeManager - The FeeManager contract provides mechanisms to manage various fee-related parameters in a system. This includes settings for transaction fees, deposit and withdrawal limits, management fee rates, and special considerations for weekends.
OpenEdenVaultV3Impl - is an upgradeable vault contract designed for managing deposits and withdrawals, charging fees, integrating with KYC systems, and operating under specific time-based rules.
TBillPriceOracle - Oracle contract provides a way to manage and update TBill prices with constraints on how much the price can deviate from previous values.
Timelock - Imports TimelockController from Openzeppelin.
OEPausable - The contract is designed to introduce “pausing” functionality into a contract by inheritance. This pausing mechanism can be utilized for emergency scenarios or other use cases to temporarily halt certain operations of a contract.
Privileged roles
The DEFAULTADMINROLE of the Controller contract can:
Pause and unpause deposits and withdrawals
The OPERATOR_ROLE of the Controller contract can:
Pause and unpause deposits and withdrawals
The Owner of the FeeManager contract can:
The owner can set various fee-related parameters like transaction fees, deposit and withdrawal limits, etc.
The owner inherits the capabilities provided by the OpenZeppelin's Ownable contract, such as the ability to transfer ownership or renounce ownership.
The Owner of the OpenEdenVaultV3Impl can:
Set the treasury for the vault.
Set the treasury specific to 'q' (qTreasury).
Toggle whether the USDC/USD price is fixed.
Set various addresses, such as FeeManager, KycManager,
Operator, USDC Price Feed, TBill Price Feed, and Controller.
Authorize contract upgrades.
Upgrade the contract.
The Operator of the OpenEdenVaultV3Impl can:
Initiate off-ramp operations to transfer underlying assets to designated treasuries.
Process the withdrawal queue.
Update the epoch and set whether it is a weekend.
Claim the service fee.
The DEFAULTADMINROLE of the TBillPriceOracle can:
Grant and revoke the OPERATOR_ROLE.
Can update the maximum price deviation.
Can manually update the close NAV price.
The OPERATOR_ROLE of the TBillPriceOracle can:
Can update the price.
Can update the close NAV price.
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
Functional requirements are provided.
Technical description is provided.
NatSpec is provided.
Code quality
The total Code Quality score is 10 out of 10.
Test coverage
Code coverage of the project is 89.42% (branch coverage).
Security score
Upon auditing, the code was found to contain 0 critical, 0 high, 1 medium, and 1 low severity issues, leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 9.6. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
The logic of the OpenEdenVaultV3 contract might be upgraded any time by the Admin.
The Epoch might be updated unlimited amount of times by the operator.
At any given time, the owner or operator holds the capability to pause both withdrawals and deposits.
The transaction fees within the system can be configured to any value, including 100%, which implies that users may receive nothing in return when attempting to deposit or redeem tokens. The fee is calculated and collected when the operator executes the withdrawal queue, based on the latest fee rate, not the rate at the time of user redemption.
The TBILL price used in calculations is provided by an oracle through an off-chain mechanism and the implementation to sustain stable coin mechanism is also handled off-chain.
The owner has the authority to withdraw any token including USDC from the contract.
Only the operator has the authority to execute redemption requests, and the timing of execution is determined by the operator's discretion.
The Treasury, KycManager and TBillPriceOracle contracts are beyond the scope of this audit (please navigate to “Appendix 2. Scope” for detailed information regarding the scope). The reliability of these contracts cannot be confirmed.
The system employs a KYC process. There is a potential risk where a user, after receiving KYC approval and depositing tokens, could be subsequently banned. This would result in their tokens being permanently locked in their account.
The redemption process relies on a centralized operator's discretion, and any issues or risks related to this operator's actions, such as insufficient USDC balance or centralization concerns, can result in users being unable to access their deposited TBILL tokens or the promised USDC tokens, potentially compromising the trustworthiness of the redemption process.
There exists a risk where the backend system could fail to accurately set the isWeekend flag, which is crucial for enforcing the intended fee structure and deposit limits. In this case, users might be able to deposit funds under incorrect fee structures.
The Open Eden operators can ban users, which may result in declining withdrawal requests if a user has already deposited funds. This mechanism was introduced to protect against withdrawal queue block due to USDC blacklisting mechanism.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-0719 | Authorization Using tx.origin | fixed | Medium | |
| F-2024-0760 | The Contract Has The Function Which Allows To Withdraw Tokens Including The underlying | accepted | Low | |
| F-2024-0759 | Missing Failover Mechanism to Unlock Withdrawal Queue Blocked by Non-Banned Users | accepted | Observation | |
| F-2024-0745 | Redundant _msgSender(), Meta-Transactions Not Implemented | accepted | Observation | |
| F-2024-0720 | Missing Checks For address(0) | accepted | Observation | |
| F-2024-0704 | Unrestricted Fee Configuration | accepted | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details - initial | |
|---|---|
| Repository | https://github.com/OpenEdenHQ/openeden.vault.v2.audit/→ |
| Commit | fdfe7a34f65a2a026632054c69e5b1a453c658a4 |
| Whitepaper | None |
| Requirements | https://docs.openeden.com/treasury-bills-vault/introduction→ |
| Technical Requirements | https://docs.openeden.com/treasury-bills-vault/introduction→ |
Scope Details - initial
- Commit
- fdfe7a34f65a2a026632054c69e5b1a453c658a4
- Whitepaper
- None
- Technical Requirements
- https://docs.openeden.com/treasury-bills-vault/introduction→
Scope Details - second | |
|---|---|
| Repository | https://github.com/OpenEdenHQ/openeden.vault.v2.audit/→ |
| Commit | d09f86cb9827242dc6e76033a60c7a464aebe27d |
| Whitepaper | None |
| Requirements | https://docs.openeden.com/treasury-bills-vault/introduction→ |
| Technical Requirements | https://docs.openeden.com/treasury-bills-vault/introduction→ |
Scope Details - second
- Commit
- d09f86cb9827242dc6e76033a60c7a464aebe27d
- Whitepaper
- None
- Technical Requirements
- https://docs.openeden.com/treasury-bills-vault/introduction→