Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • 375ai
  • [SCA] 375ai / Smart-Contracts / Jul2024
375ai logo

375ai

Audit name:

[SCA] 375ai / Smart-Contracts / Jul2024

Date:

Aug 20, 2024

Table of Content

Introduction
Audit Summary
System Overview
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the 375ai team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

The Rewards Distributor enables users to claim rewards based on their contributions using Merkle trees for fair and efficient verification. This system ensures transparent and secure reward distribution by allowing users to submit proof of participation to claim their funds

Document

NameSmart Contract Code Review and Security Analysis Report for 375ai
Audited ByPrzemyslaw Swiatowiec
Approved ByAtaberk Yavuzer
Websitehttps://375.ai
Changelog10/07/2024 - Preliminary Report, 30/07/2024 - Secondary Report, 20/08/2024 - Final Report
PlatformSolana
LanguageRust
Tagsdistribution, merkle-tree
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for 375ai
    Audited By
    Przemyslaw Swiatowiec
    Approved By
    Ataberk Yavuzer
    Website
    https://375.ai
    Changelog
    10/07/2024 - Preliminary Report, 30/07/2024 - Secondary Report, 20/08/2024 - Final Report
    Platform
    Solana
    Language
    Rust
    Tags
    distribution, merkle-tree
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/375-ai/program-library
Commitb1bf39bbbe62418c8ef63c59f537fbb25e245b0d
Re-audit Commitd2fac818499300111f9058ebac44f335fefb7bfd

Audit Summary

5Total Findings
5Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are provided.

  • The technical description is provided.

Code quality

  • No code quality issues were found.

Test coverage

Tests were provided. There are no well-known tools to measure coverage in Solana programs, the test coverage test was omitted.

System Overview

The Rewards Distributor enables users to claim rewards based on their contributions using Merkle trees for fair and efficient verification. This system ensures transparent and secure reward distribution by allowing users to submit proof of participation to claim funds.

Privileged roles

  • The manager can approve new distributions, update the admin, update the agent, pause, and unpause the protocol.

  • The agent can create new distributions, and modify distributions only before approval.

  • Users can claim distributed tokens after verification using Merkle tree proof.

Risks

There is a risk that if the process for each epoch’s distribution is not correctly executed, an invalid Merkle tree could be approved, leading to incorrect or incomplete token allocations. While this risk is partly mitigated by the two-step process, it can still occur if the verification steps are not properly followed or if the process fails. Additionally, the rules governing Merkle tree generation are out of the scope of this audit

Findings

Code
Title
Status
Severity
F-2024-5204Irrelevant and Redundant Limitations on maxtotalclaim and maxnumnodes
fixed

Medium
F-2024-4202Missing Two-Step Ownership Pattern for Admin Changes
fixed

Low
F-2024-4476Two-Step Epoch Management Process Bypass
fixed

Observation
F-2024-5201Risk of Tokens Not Being Transferred to Escrow
fixed

Observation
F-2024-4200Potentially Locked Tokens in RewardDistributor's Account
fixed

Observation
1-5 of 5 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/375-ai/program-library
Commitb1bf39bbbe62418c8ef63c59f537fbb25e245b0d
Re-audit Commitd2fac818499300111f9058ebac44f335fefb7bfd
WhitepaperREADME.md
RequirementsREADME.md
Technical RequirementsREADME.md

  • Scope Details

    Repository
    https://github.com/375-ai/program-library
    Commit
    b1bf39bbbe62418c8ef63c59f537fbb25e245b0d
    Re-audit Commit
    d2fac818499300111f9058ebac44f335fefb7bfd
    Whitepaper
    README.md
    Requirements
    README.md
    Technical Requirements
    README.md

Contracts in Scope

programs
rewards-distributor
src
events.rs - programs/rewards-distributor/src/events.rs
errors.rs - programs/rewards-distributor/src/errors.rs
instructions.rs - programs/rewards-distributor/src/instructions.rs
lib.rs - programs/rewards-distributor/src/lib.rs
state.rs - programs/rewards-distributor/src/state.rs
instructions
accept_manager.rs - programs/rewards-distributor/src/instructions/accept_manager.rs
add_epoch.rs - programs/rewards-distributor/src/instructions/add_epoch.rs
approve_epoch.rs - programs/rewards-distributor/src/instructions/approve_epoch.rs
change_agent.rs - programs/rewards-distributor/src/instructions/change_agent.rs
claim.rs - programs/rewards-distributor/src/instructions/claim.rs
correct_epoch.rs - programs/rewards-distributor/src/instructions/correct_epoch.rs
initialize.rs - programs/rewards-distributor/src/instructions/initialize.rs
pause.rs - programs/rewards-distributor/src/instructions/pause.rs
propose_manager.rs - programs/rewards-distributor/src/instructions/propose_manager.rs
unpause.rs - programs/rewards-distributor/src/instructions/unpause.rs
utils
merkle_proof.rs - programs/rewards-distributor/src/utils/merkle_proof.rs
mod.rs - programs/rewards-distributor/src/utils/mod.rs

Disclaimer