Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • betterswap
  • [SCA] BetterSwap / Diff Check / Jan2025
BetterSwap logo

BetterSwap

Audit name:

[SCA] BetterSwap / Diff Check / Jan2025

Date:

Mar 19, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the BetterSwap team for their collaboration, which enabled the execution of this Smart Contract Code Difference Assessment.  This report provides an assessment of code changes between VeRocket/vvet and the-better-collective/bvet , as well as VeRocket/uni-v2 and the-better-collective/betterswap-contracts . However, it is not a full security audit and should not be considered proof or a guarantee that the unchanged code is secure or functions as expected. The reviewed the-better-collective/bvet codebase is a fork of VeRocket/vvet , while the-better-collective/betterswap-contracts is a fork of VeRocket/uni-v2 , with additional modifications. It is important to note that unmodified code has not been assessed for correctness, reliability, or security. There is no guarantee that it is free of flaws, vulnerabilities, or attack vectors. To ensure the system behaves as expected, a full security audit and comprehensive testing are recommended.

As a result of the diff security assessment, the provided modifications to the contracts in scope do not contain vulnerabilities and can be considered secure.

Document

NameSmart Contract Code Difference Evaluation Report for BetterSwap
Audited ByViktor Lavrenenko
Approved ByIvan Bondar
Websitehttps://www.betterswap.io/
Changelog26/02/2025 - Draft Report
19/03/2025 - Final Report
PlatformVeChain
LanguageSolidity
TagsDecentralized Exchanges, Uniswap, VeChain, Fork
Methodologyhttps://hackenio.cc/sc_methodology
  • Document

    Name
    Smart Contract Code Difference Evaluation Report for BetterSwap
    Audited By
    Viktor Lavrenenko
    Approved By
    Ivan Bondar
    Changelog
    26/02/2025 - Draft Report
    19/03/2025 - Final Report
    Platform
    VeChain
    Language
    Solidity
    Tags
    Decentralized Exchanges, Uniswap, VeChain, Fork

Audit Summary

16Total Findings
16Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

System Overview

Bvet is a decentralized staking protocol which allows its users to manage the staking of VET tokens. It tracks the amount of VET each user has staked and adheres to the VIP-180 standard. The privileged accounts with the MINTER_ROLE can withdraw the system rewards. Betterswap is a decentralized exchange built as a fork of VeChain Labs' Uniswap V2 Implementation. It retains the core functionalities of Uniswap V2 while introducing several modifications and additional contracts to enhance user experience and streamline operations.

Potential Risks

This presented document is an assessment of code changes between VeRocket/vvet and the-better-collective/bvet as well as VeRocket/uni-v2 and the-better-collective/betterswap-contracts repositories, but it is not a complete security assessment of the contracts in scope. As such, this document should not be considered a proof or guarantee that the unchanged code works and it is secure, since only the code changes have been verified during the current security assessment.

In the latest version of the WVET.sol contract from the the-better-collective/bvet repository, users staking tokens are unable to receive their rewards directly. Instead, the privileged role (WITHDRAWAL_ROLE) has exclusive control over reward withdrawals through the claimVTHO() and claimAllVTHO() functions. This centralization of reward distribution introduces a significant risk, as the rewards are allocated via out-of-scope mechanisms rather than being automatically distributed to users.

Findings

Code
Title
Status
Severity
F-2025-8993Incorrect Logic Prevents Full Withdrawals In claimAllVTHO function
fixed

Low
F-2025-8997Redundant and Unused Code in the Updated Codebase Version
fixed

Observation
F-2025-8924The UniswapV2Pair Was Modified
fixed

Observation
F-2025-8923The Contract UniswapV2Factory Was Modified
fixed

Observation
F-2025-8922New div() Functionality Was Introduced In The SafeMath.sol Library
fixed

Observation
F-2025-8921New Files Were Added
fixed

Observation
F-2025-8920SPDX License Identifier Was Added
fixed

Observation
F-2025-8902New Functions Signatures Were Added And Removed From The Interfaces
fixed

Observation
F-2025-8901Local Copies of the OpenZeppelin and Uniswap Smart Contracts Were Added
fixed

Observation
F-2025-8900StakingModel Contract Was Modified
fixed

Observation
1-10 of 16 findings

Identify vulnerabilities in your smart contracts.

Appendix 2. Scope

Appendix Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repository_1https://github.com/the-better-collective/bvet
Repository_2https://github.com/the-better-collective/betterswap-contracts
Commit_1dd674f80b1d69d9549ae0666365a349efc3d6b03
Retest Commit_1cb6df85e37a6ca7b41f93d00b6f8d57173513718
Commit_2d670bee1b7825cf342a7bd197e8f69845aefd443
Retest Commit_2679340489609b6ae537c880be6e25e6ab774b10e
WhitepaperN/A
RequirementsN/A
Technical RequirementsN/A

Assets in Scope

betterswap-contracts
contracts
uniswap-lib
contracts
libraries
AddressStringUtil.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/AddressStringUtil.sol
Babylonian.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/Babylonian.sol
BitMath.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/BitMath.sol
FixedPoint.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/FixedPoint.sol
FullMath.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/FullMath.sol
SafeERC20Namer.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/SafeERC20Namer.sol
TransferHelper.sol - betterswap-contracts/contracts/uniswap-lib/contracts/libraries/TransferHelper.sol
uniswap-v2-core
contracts
interfaces
IERC20.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IERC20.sol
IStakingModel.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IStakingModel.sol
IUniswapV2Callee.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Callee.sol
IUniswapV2ERC20.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2ERC20.sol
IUniswapV2Factory.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Factory.sol
IUniswapV2Pair.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Pair.sol
IVthoClaimable.sol - betterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IVthoClaimable.sol

Disclaimer