Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • apraemio
  • [SCA] Apraemio / APRA / Oct2024
Apraemio logo

Apraemio

Audit name:

[SCA] Apraemio / APRA / Oct2024

Date:

Nov 19, 2024

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Apraemio team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Apraemio is a digital asset that not only stores but extends its value because of the ever-increasing gold backing system.

Document

NameSmart Contract Code Review and Security Analysis Report for Apraemio
Audited ByKornel Światłowski, Viktor Lavrenenko
Approved ByAtaberk Yavuzer
Websitehttps://apraemio.com
Changelog06/11/2024 - Preliminary Report
19/11/2024 - Final Report
PlatformBinance Chain
LanguageSolidity
TagsBEP20, ICO, Timelock, Fee-on-Transfer
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Apraemio
    Audited By
    Kornel Światłowski, Viktor Lavrenenko
    Approved By
    Ataberk Yavuzer
    Website
    https://apraemio.com
    Changelog
    06/11/2024 - Preliminary Report
    19/11/2024 - Final Report
    Platform
    Binance Chain
    Language
    Solidity
    Tags
    BEP20, ICO, Timelock, Fee-on-Transfer
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/Apraemio/APRA/tree/audit
Commit9e952d4

Audit Summary

13Total Findings
12Resolved
1Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are complete:

    • The project's purpose is described.

    • Business logic is provided.

    • Use cases are provided.

    • Project's features are provided.

  • Technical description is provided:

    • Key function descriptions are provided.

    • Roles and authorization are provided.

    • Information on used technologies is included.

    • Architectural overview is described.

Code quality

  • The development environment is configured.

  • Copy of well known contracts.

Test coverage

Code coverage of the project is 98% (branch coverage).

  • Deployment and basic user interactions are covered with tests.

  • Negative cases coverage is provided.

  • Interactions by several users are tested thoroughly.

System Overview

Apraemio is a digital asset backed by the gold with the following contracts:

APRA  — a deflationary BEP20 token that mints all initial supply to a specified address. Additional minting is not allowed. APRA token has build in 1% fee on transfer.

It has the following attributes:

  • Name: Apraemio

  • Symbol: APRA

  • Decimals: 18

  • Total supply: 1 billion tokens.

TimeLock - a contract which implements token vesting.

Privileged roles

  • The owner of the APRA.sol can:

    • change the receiver of the fees via changeFeeWallet() function.

    • enable or disable fee taking via the setTakeFee() function.

    • exclude accounts from fee payment via the excludeFromFee() function.

    • include accounts to fee payments via the includeInFee() function.

  • The owner of the TimeLock_v2.sol can:

    • sets the ICO timestamp to the given time via setIcoTimestamp() function.

    • lock the ICO timestamp to the already set value via lockIcoTimestamp() function.

    • grant the permission of a given address to lock tokens via setAccountAsLocker() function.

    • revoke the permission of a given address to lock tokens via removeAccountFromLockers() function.

    • can add and remove lockers via functions setAccountAsLocker() and removeAccountFromLockers().

Potential Risks

The APRA token is a deflationary token backed by physical gold. Its price can fluctuate based on the amount of mined gold, as detailed in the Apraemio Whitepaper , specifically in the "APRA Gold Redemption" section. However, all mechanisms that influence the value of the APRA token are conducted off-chain and were not included within the scope of this audit, hence were not properly assessed.

Centralized Minting to a Single Address: The project concentrates minting tokens in a single address, raising the risk of fund mismanagement or theft, especially if key storage security is compromised.

As specified in the NatSpec documentation, APRA tokens will be distributed through a sale mechanism. Upon purchase, 40% of the purchased amount will be transferred instantly to the user's address, while the remaining 60% will be distributed monthly over six months from the ICO timestamp. However, the smart contract responsible for implementing this distribution mechanism was not included in the scope of this audit, and its compliance with the NatSpec specification is not guaranteed.

Findings

Code
Title
Status
Severity
F-2024-6975Self-Transfer in TimeLock Contract Will Lead to Locked Tokens
fixed

Medium
F-2024-6963Double Fee Deduction and Inaccurate Token Amount Stored Due to Fee on Transfer
fixed

Medium
F-2024-6996Potential Overflow In The IncreaseAllowance() Function
fixed

Low
F-2024-6973Missing Boundaries For The icoTimestamp Value
accepted

Low
F-2024-7003Missing Access Control Modifier Can Lead To Unintended Behavior
fixed

Observation
F-2024-6995Limited Accessibility of Vested and Withdrawn Amounts in TimeLock Contract
fixed

Observation
F-2024-6983Absence of Custom Errors Leading to Increased Gas Costs
fixed

Observation
F-2024-6982Redundant Condition In The constructor() Causing Extra Gas Consumption
fixed

Observation
F-2024-6981Redundant Storage Reads Increase Execution Costs
fixed

Observation
F-2024-6980State Variables Can Be Made Constant Or Immutable
fixed

Observation
1-10 of 13 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/Apraemio/APRA/tree/audit
Commit9e952d4eb9de30ae1d1c9e954e3e111453c707a1
Whitepaperhttps://learn.apraemio.com/about-us/whitepaper
RequirementsREADME.md
Technical RequirementsREADME.md

Assets in Scope

APRA.sol - APRA.sol
BEP20.sol - BEP20.sol
TimeLock_v2.sol - TimeLock_v2.sol

Disclaimer