[SCA] Definitely / Affiliation / Nov2023

Definitely

Audit name:

[SCA] Definitely / Affiliation / Nov2023

Date:

Dec 14, 2023

Table of Content

→Introduction

→Audit Summary

→Document Information

→System Overview

→Executive Summary

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

Want a comprehensive audit report like this?

Introduction

We thank DefinitelySoFi team for allowing us to conduct a Smart Contract Security Assessment. This document outlines our methodology, limitations, and results of the security assessment.

The Definitely project facilitates users in generating, acquiring, and trading invitation codes through an affiliate-oriented approach while maintaining comprehensive registries.

title	content
Platform	Arbitrum
Language	Solidity
Tags	Affiliation, Native Assets
Timeline	29.11.2023 - 30.11.2023
Methodology	https://hackenio.cc/sc_methodology→

Remediation Review Date: 04.12.2023

Last Review Scope
Repository	https://github.com/DefinitelySoFi/SoFiContract→
Commit	2e9fbee490ab0a9b0d8bb8e228964f02154f61d3

Last Review Scope
Repository
https://github.com/DefinitelySoFi/SoFiContract→
Commit
2e9fbee490ab0a9b0d8bb8e228964f02154f61d3

Audit Summary

Total8.1/10

Security Score

9/10

Test Coverage

Code Quality Score

5/10

Documentation Quality Score

8/10

9Total Findings

0Resolved

2Accepted

0Mitigated

2medium

1low

!1 Unfixed

6observation

!6 Unfixed

The system users should acknowledge all the risks summed up in the risks section of the report

{FindingsVulnPieChart_Severity}

Document Information

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

Document

Document
Name	Smart Contract Code Review and Security Analysis Report for DefinitelySoFi
Audited By	Ataberk Yavuzer, Vladyslav Khomenko
Approved By
Website	https://definitely.gg→
Changelog	{Report_Version}

Document
Name
Smart Contract Code Review and Security Analysis Report for DefinitelySoFi
Audited By
Ataberk Yavuzer, Vladyslav Khomenko
Approved By
Website
https://definitely.gg→
Changelog
{Report_Version}

System Overview

The Definitely project is affiliate-oriented project with the following contract:

contract.sol - The DefinitelyKeysV1 contract which allow users to create their own invitation codes and tradeable keys via other invitation codes. Users are able to buy and sell more keys on protocol.

Privileged roles

The owner of the DefinitelyKeysV1 contract can arbitrarily modify protocol fees and fee destination address. It is therefore entitled to impersonate or change the logic of critical components of the system at will.

Executive Summary

Documentation quality

The total Documentation Quality score is 8 out of 10.

The whitepaper documentation was provided.
The whitepaper documentation does not have any information for sellKeys() function.

Code quality

The total Code Quality score is 5 out of 10.

The project does not follow any rules to optimize gas usage.
Code does not follow natspec specifications, therefore the code is not self-explanatory.
There is no deployment or test scripts.

Test coverage

Code coverage of the project is 0% (branch coverage), with a mutation score of 0%.

The project does not have any test cases.

Security score

As a result of the initial audit, the code was containing 2 medium and 1 low issues. The security score was 8 out of 10. During the remediation phase, all findings were discussed with the DefinitelySoFi team and all findings were acknowledged. The final security score is 9 out of 10.

All found issues are displayed in the “Findings” section.

Risks

The DefinitelySoFi team expressed that authority of the contract will be transferred to multi-sig wallet in near future. The contract owner may have full authority on increasing protocol fees since there is no upper limits for fees on the protocol.

Users who do not use DefinitelySoFi's front-end may be exposed to the “Sandwich Attack” because they may not be able to set slippage correctly.

Findings

Code ―	Title	Status	Severity
F-2023-0029	Possible lock on the first 100 units of initial key	accepted	Medium
F-2023-0020	The buyKeys() function may be vulnerable to sandwich attack	accepted	Medium
F-2023-0030	Highly permissive role	unfixed	Low
F-2023-0031	Common literal value	unfixed	Observation
F-2023-0025	Ownership Irrevocability Vulnerability	unfixed	Observation
F-2023-0024	Unneeded initializations of uint256 and bool variable to 0/false	unfixed	Observation
F-2023-0023	Custom Errors in Solidity for Gas Efficiency	unfixed	Observation
F-2023-0022	Missing checks for address(0)	unfixed	Observation
F-2023-0021	Floating Pragma	unfixed	Observation

1-9 of 9 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities. Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope details
Repository	https://github.com/DefinitelySoFi/SoFiContract→
Commit	2e9fbee490ab0a9b0d8bb8e228964f02154f61d3
Whitepaper	https://definitely.gitbook.io→
Review Date	29.11.2023
Contract in scope	contract.sol

Scope details
Repository
https://github.com/DefinitelySoFi/SoFiContract→
Commit
2e9fbee490ab0a9b0d8bb8e228964f02154f61d3
Whitepaper
https://definitely.gitbook.io→
Review Date
29.11.2023
Contract in scope
contract.sol

Hacken Disclaimer

The smart contracts given for audit have been analyzed based on best industry practices at the time of the writing of this report, with cybersecurity vulnerabilities and issues in smart contract source code, the details of which are disclosed in this report (Source Code); the Source Code compilation, deployment, and functionality (performing the intended functions). The report contains no statements or warranties on the identification of all vulnerabilities and security of the code. The report covers the code submitted and reviewed, so it may not be relevant after any modifications. Do not consider this report as a final and sufficient assessment regarding the utility and safety of the code, bug-free status, or any other contract statements. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only — we recommend proceeding with several independent audits and a public bug bounty program to ensure the security of smart contracts. English is the original language of the report. The Consultant is not responsible for the correctness of the translated versions.

Technical Disclaimer

Smart contracts are deployed and executed on a blockchain platform. The platform, its programming language, and other software related to the smart contract can have vulnerabilities that can lead to hacks. Thus, the Consultant cannot guarantee the explicit security of the audited smart contracts.

Assets in Scope

DefinitelyKeysV1.sol - DefinitelyKeysV1.sol

Hacken Extractor