The Hacken 2025 Yearly Security ReportCovers major Web3 breaches, their root causes, prevention insights, and key regulatory trends for 2026.
Learn more

AIRDAO

Audit name:

[L1] AirDAO | OpenEthereum + Node Contracts | Apr2024

Date:

Jun 21, 2024

Table of Content

Introduction
Audit Summary
System Overview
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the AIRDAO team for the collaborative engagement that enabled the execution of this Blockchain Protocol Security Assessment.

AirDAO is a community-governed blockchain and ecosystem of web3 dApps powered by its native token, AMB. It supports the Ethereum Virtual Machine (EVM), enabling the usage of smart contracts that permit a wide range of applications on it, such as DeFi, governance, and gaming. One of its key features is cross-chain functionality through maintained bridges on EVM-compatible networks, enhancing interoperability and expanding its ecosystem.

Document

NameBlockchain Protocol Review and Security Analysis Report for AIRDAO
Audited BySofiane Akermoun, Nataliia Balashova, Turgay Arda Usman
Approved ByLuciano Ciattaglia, Ataberk Yavuzer
Websitehttps://airdao.io/
Changelog21/05/2024 - Preliminary Report
21/06/2024 - Final Report
PlatformAirDAO
LanguageRust
TagsLayer 1, Ethereum, Bridge, Solidity, DAO
Methodologyhttps://hackenio.cc/blockchain_methodology

  • Document

    Name
    Blockchain Protocol Review and Security Analysis Report for AIRDAO
    Audited By
    Sofiane Akermoun, Nataliia Balashova, Turgay Arda Usman
    Approved By
    Luciano Ciattaglia, Ataberk Yavuzer
    Website
    https://airdao.io/
    Changelog
    21/05/2024 - Preliminary Report
    21/06/2024 - Final Report
    Platform
    AirDAO
    Language
    Rust
    Tags
    Layer 1, Ethereum, Bridge, Solidity, DAO
    Methodology
    https://hackenio.cc/blockchain_methodology

Review Scope

Repositoryhttps://github.com/ambrosus/openethereum
Commit30ac95eebe3089a63527e9c06574eae23aa9ee2e

Audit Summary

30Total Findings
5Resolved
22Accepted
3Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Code is not equally documented across the project.

  • New features of AirDAO need better documentation, including support similar to EIPs that describe the features.

  • Documentation for the build process and technical requirements, which had previously been insufficient, has now been promptly provided during the audit.

Code quality

  • Additions to the OpenEthereum fork by the AirDAO team demonstrate good Rust code quality.

  • Overall, AirDAO inherits good quality from the OpenEthereum project.

  • However, there remain too many linter warnings, indicating that better Rust code best practices can be applied.

  • Changes to OpenEthereum by AirDAO should be covered by unit tests.

Architecture quality

  • Good modularity by separating Layer 1 mechanisms and core smart contracts, which enhances the functionality of the network and allows for modular upgrades without significantly altering the core L1.

  • AirDAO is based on OpenEthereum, which has not been maintained for a few years.

System Overview

AirDAO is a fork of OpenEthereum, an Ethereum client written in Rust. It includes a set of smart contracts written in Solidity, which add functionality to the AirDAO network. These smart contracts support a variety of applications within the ecosystem.

AirDAO is powered by its native cryptocurrency, AMB, facilitating transactions and governance within the network. This combination of Rust-based client and Solidity smart contracts allows AirDAO to support a wide range of web3 dApps efficiently and securely.

Risks

Forking from OpenEthereum introduces several risks to the AirDAO project. Since OpenEthereum has not been maintained for a few years, the codebase may contain unresolved bugs and security vulnerabilities that could impact the stability and security of AirDAO. Additionally, the lack of ongoing support and updates from the original OpenEthereum maintainers means that any discovered issues or necessary improvements must be addressed solely by the AirDAO team, potentially increasing their development and maintenance burden. This reliance on an outdated and unsupported codebase could pose significant challenges.

Making external calls within loops increases the risk of gas exhaustion, potentially leading to failed transactions and reduced contract reliability, especially when processing large datasets.

The project does not support non-standard ERC20 tokens. Adding such tokens in the future can cause additional risks.

The current version of the code does not support fee-on-transfer tokens. Adding such tokens in the future can create risks.

This audit report focuses exclusively on the security assessment of the contracts within the specified review scope. Interactions with out-of-scope contracts are presumed to be correct and are not examined in this audit. We want to highlight that Interactions with contracts outside the specified scope, such as: Apollo pools, Atlas pools, Hermes pools, Zeta pools, Sigma pools, Omega Pools have not been verified or assessed as part of this report. While we have diligently identified and mitigated potential security risks within the defined scope, it is important to note that our assessment is confined to the isolated contracts within this scope. The overall security of the entire system, including external contracts and integrations beyond our audit scope, cannot be guaranteed. Users and stakeholders are urged to exercise caution when assessing the security of the broader ecosystem and interactions with external contracts. For a comprehensive evaluation of the entire system, additional audits and assessments outside the scope of this report are necessary. This report serves as a snapshot of the security status of the audited contracts within the specified scope at the time of the audit. We strongly recommend ongoing security evaluations and continuous monitoring to maintain and enhance the overall system's security.

Findings

Code
Title
Status
Severity
F-2024-1954Vulnerable Dependencies
accepted

Critical
F-2024-3223Usage of Unmaintained and Unaudited Cryptographic Libraries
accepted

High
F-2024-2853Reentrancy Vulnerability During Lock Cancelations
fixed

High
F-2024-3226 AirDAO Project Forked from Archived and Unsupported OpenEthereum
accepted

Medium
F-2024-2877Incorrect Owner Assignment During Genesis Deployment
mitigated

Medium
F-2024-2864 Incompatibility with ERC20 Tokens Not Returning Boolean on Transfers
fixed

Medium
F-2024-2982Unsafe Usage of std::mem::transmute in Critical Functions
accepted

Low
F-2024-2870Deletion Logic Will Never be Called
mitigated

Low
F-2024-2865Unchecked Transfer
fixed

Low
F-2024-2863Use Of Transfer() Instead Of Call() To Send Funds
accepted

Low
1-10 of 30 findings

Findings like these can secure your blockchain.

Appendix 1. Severity Definitions

Severity

Description

Critical
Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.

High
High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.

Medium
Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.

Low
Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.

  • Severity

    Critical

    Description

    Vulnerabilities that can lead to a complete breakdown of the blockchain network's security, privacy, integrity, or availability fall under this category. They can disrupt the consensus mechanism, enabling a malicious entity to take control of the majority of nodes or facilitate 51% attacks. In addition, issues that could lead to widespread crashing of nodes, leading to a complete breakdown or significant halt of the network, are also considered critical along with issues that can lead to a massive theft of assets. Immediate attention and mitigation are required.

    Severity

    High

    Description

    High severity vulnerabilities are those that do not immediately risk the complete security or integrity of the network but can cause substantial harm. These are issues that could cause the crashing of several nodes, leading to temporary disruption of the network, or could manipulate the consensus mechanism to a certain extent, but not enough to execute a 51% attack. Partial breaches of privacy, unauthorized but limited access to sensitive information, and affecting the reliable execution of smart contracts also fall under this category.

    Severity

    Medium

    Description

    Medium severity vulnerabilities could negatively affect the blockchain protocol but are usually not capable of causing catastrophic damage. These could include vulnerabilities that allow minor breaches of user privacy, can slow down transaction processing, or can lead to relatively small financial losses. It may be possible to exploit these vulnerabilities under specific circumstances, or they may require a high level of access to exploit effectively.

    Severity

    Low

    Description

    Low severity vulnerabilities are minor flaws in the blockchain protocol that might not have a direct impact on security but could cause minor inefficiencies in transaction processing or slight delays in block propagation. They might include vulnerabilities that allow attackers to cause nuisance-level disruptions or are only exploitable under extremely rare and specific conditions. These vulnerabilities should be corrected but do not represent an immediate threat to the system.

Appendix 2. Scope

The scope of the project includes the following components from the provided repository:

Scope Details

Repositoryhttps://github.com/ambrosus/openethereum
Commit30ac95eebe3089a63527e9c06574eae23aa9ee2e
Whitepaper
Requirements
Technical Requirements

Components in Scope

Layer

Cryptography and Keys

  • Cryptography Libraries

Fork review

  • Review missing updates & bug fixes since OpenEthereum v3.3.3

  • Review missing security features & bug fixes from Ethereum protocol

Chain

  • Bootstrap review (genesis, seed peers)

  • Review gas reservation mechanism

  • Standard attacks review (replay, malleability, ...)

Consensus

  • Consensus implementation review (validation, fork, ...)

  • Rewards Implementation review

  • Attack scenarios analysis (liveness, finality, eclipse, double spend, ...)

Code Quality

  • Static Code Analysis

  • Tests coverage

Node Tests

  • Environment Setup

  • E2E sync tests

  • Consensus tests

Smart contracts

  1. /contracts/LockKeeper.sol

  2. /contracts/consensus/ValidatorSet.sol

  3. /contracts/consensus/OnBlockNotifier.sol

  4. /contracts/fees/Fees.sol

  5. /contracts/multisig/Multisig.sol

  6. /contracts/multisig/MasterMultisig.sol

  7. /contracts/utils/TransferViaCall.sol

  8. /contracts/staking/ServerNodes_Manager.sol

  9. /contracts/staking/BaseNodes_Manager.sol

  10. /contracts/staking/pools/LegacyPoolsNodes_Manager.sol

  11. /contracts/staking/pools/Legacy/Pool_Legacy.sol

  12. /contracts/staking/pools/Legacy/HeadContextCatalogue.sol

  13. /contracts/staking/pools/Legacy/PoolToken.sol

  14. /contracts/finance/MasterFinance.sol

  15. /contracts/finance/Finance.sol

  16. /contracts/finance/Bank.sol

  17. /contracts/finance/Treasury.sol

  18. /contracts/funds/AirBond.sol

  19. /contracts/consensus/IValidatorSet.sol

  20. /contracts/staking/pools/Legacy/CatalogueContracts.sol

  21. /contracts/staking/pools/IPool.sol

  22. /contracts/staking/pools/Legacy/IPoolsNodesManager.sol

  23. /contracts/staking/IStakeManager.sol

  24. /contracts/fees/IFees.sol

Assets in Scope

Cryptography and Keys - Cryptography and Keys
Fork - Fork
updates & bug fixes since OpenEtherem v3.3.3 - updates & bug fixes since OpenEtherem v3.3.3
features & bug fixes from Ethereum protocol - features & bug fixes from Ethereum protocol
Chain - Chain
genesis - genesis
seed peers - seed peers
Aura Consensus - Aura Consensus
Node - Node
contracts
LockKeeper.sol - › contracts › LockKeeper.sol
consensus
ValidatorSet.sol - › contracts › consensus › ValidatorSet.sol
OnBlockNotifier.sol - › contracts › consensus › OnBlockNotifier.sol
IValidatorSet.sol - › contracts › consensus › IValidatorSet.sol
fees
Fees.sol - › contracts › fees › Fees.sol
IFees.sol - › contracts › fees › IFees.sol
projects
airdrop
AirDrop.sol - › contracts › projects › airdrop › AirDrop.sol

Disclaimer