Introduction
We express our gratitude to the Apraemio team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Apraemio is a digital asset that not only stores but extends its value because of the ever-increasing gold backing system.
This copy of the report contains all findings as accepted and not fixed. It has been prepared and provided in accordance with the client’s specific request.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Apraemio |
| Audited By | Kornel Światłowski, Viktor Lavrenenko |
| Approved By | Ataberk Yavuzer |
| Website | https://apraemio.com→ |
| Changelog | 06/11/2024 - Preliminary Report |
| 28/11/2024 - Final Report | |
| Platform | Binance Chain |
| Language | Solidity |
| Tags | BEP20, ICO, Timelock, Fee-on-Transfer |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Apraemio
- Audited By
- Kornel Światłowski, Viktor Lavrenenko
- Approved By
- Ataberk Yavuzer
- Website
- https://apraemio.com→
- Changelog
- 06/11/2024 - Preliminary Report
- 28/11/2024 - Final Report
- Platform
- Binance Chain
- Language
- Solidity
- Tags
- BEP20, ICO, Timelock, Fee-on-Transfer
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/Apraemio/APRA/tree/audit→ |
| Commit | 9e952d4 |
Review Scope
- Commit
- 9e952d4
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are complete:
The project's purpose is described.
Business logic is provided.
Use cases are provided.
Project's features are provided.
Technical description is provided:
Key function descriptions are provided.
Roles and authorization are provided.
Information on used technologies is included.
Architectural overview is described.
Code quality
Insufficient Gas modeling.
The development environment is configured.
Copy of well known contracts.
Best practices are not followed: F-2024-6939, F-2024-6979, F-2024-6980, F-2024-6981, F-2024-6982, F-2024-6983, F-2024-6995, F-2024-6973, F-2024-6975.
Test coverage
Code coverage of the project is 100% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases coverage is provided.
Interactions by several users are tested thoroughly.
System Overview
Apraemio is a digital asset backed by the gold with the following contracts:
APRA — a deflationary BEP20 token that mints all initial supply to a specified address. Additional minting is not allowed. APRA token has build in 1% fee on transfer.
It has the following attributes:
Name: Apraemio
Symbol: APRA
Decimals: 18
Total supply: 1 billion tokens.
TimeLock - a contract which implements token vesting.
Privileged roles
The owner of the
APRA.solcan:change the receiver of the fees via
changeFeeWallet()function.enable or disable fee taking via the
setTakeFee()function.exclude accounts from fee payment via the
excludeFromFee()function.include accounts to fee payments via the
includeInFee()function.
The owner of the
TimeLock_v2.solcan:sets the ICO timestamp to the given time via
setIcoTimestamp()function.lock the ICO timestamp to the already set value via
lockIcoTimestamp()function.
Potential Risks
The APRA token is a deflationary token backed by physical gold. Its price can fluctuate based on the amount of mined gold, as detailed in the Apraemio Whitepaper →, specifically in the "APRA Gold Redemption" section. However, all mechanisms that influence the value of the APRA token are conducted off-chain and were not included within the scope of this audit, hence were not properly assessed.
Centralized Minting to a Single Address: The project concentrates minting tokens in a single address, raising the risk of fund mismanagement or theft, especially if key storage security is compromised.
As specified in the NatSpec documentation, APRA tokens will be distributed through a sale mechanism. Upon purchase, 40% of the purchased amount will be transferred instantly to the user's address, while the remaining 60% will be distributed monthly over six months from the ICO timestamp. However, the smart contract responsible for implementing this distribution mechanism was not included in the scope of this audit, and its compliance with the NatSpec specification is not guaranteed.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-7130 | Self-Transfer in TimeLock Contract Will Lead to Locked Tokens | accepted | Medium | |
| F-2024-7128 | Double Fee Deduction and Inaccurate Token Amount Stored Due to Fee on Transfer | accepted | Medium | |
| F-2024-7138 | Potential Overflow In The IncreaseAllowance() Function | accepted | Low | |
| F-2024-7129 | Missing Boundaries For The icoTimestamp Value | accepted | Low | |
| F-2024-7139 | Missing Access Control Modifier Can Lead To Unintended Behavior | accepted | Observation | |
| F-2024-7137 | Limited Accessibility of Vested and Withdrawn Amounts in TimeLock Contract | accepted | Observation | |
| F-2024-7136 | Absence of Custom Errors Leading to Increased Gas Costs | accepted | Observation | |
| F-2024-7135 | Redundant Condition In The constructor() Causing Extra Gas Consumption | accepted | Observation | |
| F-2024-7134 | Redundant Storage Reads Increase Execution Costs | accepted | Observation | |
| F-2024-7133 | State Variables Can Be Made Constant Or Immutable | accepted | Observation |
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/Apraemio/APRA/tree/audit→ |
| Commit | 9e952d4eb9de30ae1d1c9e954e3e111453c707a1 |
| Deployed Addresses | 0xf78e6432fde852d94e6ee4a82c1e198dcbe4a06b→ |
| 0x0c4ac8952c28e2e7fe22033C8D2F1263372d301d→ | |
| Whitepaper | https://learn.apraemio.com/about-us/whitepaper→ |
| Requirements | README.md→ |
| Technical Requirements | README.md→ |
Scope Details
- Commit
- 9e952d4eb9de30ae1d1c9e954e3e111453c707a1
- Deployed Addresses
- 0xf78e6432fde852d94e6ee4a82c1e198dcbe4a06b→
- Requirements
- README.md→
- Technical Requirements
- README.md→