Audit name:
[SCA] BetterSwap / Diff Check / Jan2025
Date:
Mar 19, 2025
Table of Content
Introduction
We express our gratitude to the BetterSwap team for their collaboration, which enabled the execution of this Smart Contract Code Difference Assessment. This report provides an assessment of code changes between VeRocket/vvet → and the-better-collective/bvet →, as well as VeRocket/uni-v2 → and the-better-collective/betterswap-contracts →. However, it is not a full security audit and should not be considered proof or a guarantee that the unchanged code is secure or functions as expected. The reviewed the-better-collective/bvet → codebase is a fork of VeRocket/vvet →, while the-better-collective/betterswap-contracts → is a fork of VeRocket/uni-v2 →, with additional modifications. It is important to note that unmodified code has not been assessed for correctness, reliability, or security. There is no guarantee that it is free of flaws, vulnerabilities, or attack vectors. To ensure the system behaves as expected, a full security audit and comprehensive testing are recommended.
The changes introduced to the original code from https://github.com/the-better-collective/betterswap-contracts → and https://github.com/the-better-collective/bvet →
As a result of the diff security assessment, the provided modifications to the contracts in scope do not contain vulnerabilities and can be considered secure.
Document | |
|---|---|
| Name | Smart Contract Code Difference Evaluation Report for BetterSwap |
| Audited By | Viktor Lavrenenko |
| Approved By | Ivan Bondar |
| Website | https://www.betterswap.io/→ |
| Changelog | 26/02/2025 - Draft Report |
| 19/03/2025 - Final Report | |
| Platform | VeChain |
| Language | Solidity |
| Tags | Decentralized Exchanges, Uniswap, VeChain, Fork |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Difference Evaluation Report for BetterSwap
- Audited By
- Viktor Lavrenenko
- Approved By
- Ivan Bondar
- Website
- https://www.betterswap.io/→
- Changelog
- 26/02/2025 - Draft Report
- 19/03/2025 - Final Report
- Platform
- VeChain
- Language
- Solidity
- Tags
- Decentralized Exchanges, Uniswap, VeChain, Fork
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository_1 | https://github.com/the-better-collective/bvet→ |
| Repository_2 | https://github.com/the-better-collective/betterswap-contracts→ |
| Commit_1 | dd674f8 |
| Commit_2 | d670bee |
Review Scope
- Repository_1
- https://github.com/the-better-collective/bvet→
- Commit_1
- dd674f8
- Commit_2
- d670bee
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
Bvet is a decentralized staking protocol which allows its users to manage the staking of VET tokens. It tracks the amount of VET each user has staked and adheres to the VIP-180 standard. The privileged accounts with the MINTER_ROLE can withdraw the system rewards. Betterswap is a decentralized exchange built as a fork of VeChain Labs' Uniswap V2 Implementation. It retains the core functionalities of Uniswap V2 while introducing several modifications and additional contracts to enhance user experience and streamline operations.
Potential Risks
This presented document is an assessment of code changes between VeRocket/vvet → and the-better-collective/bvet → as well as VeRocket/uni-v2 → and the-better-collective/betterswap-contracts → repositories, but it is not a complete security assessment of the contracts in scope. As such, this document should not be considered a proof or guarantee that the unchanged code works and it is secure, since only the code changes have been verified during the current security assessment.
In the latest version of the WVET.sol contract from the the-better-collective/bvet repository, users staking tokens are unable to receive their rewards directly. Instead, the privileged role (WITHDRAWAL_ROLE) has exclusive control over reward withdrawals through the claimVTHO() and claimAllVTHO() functions. This centralization of reward distribution introduces a significant risk, as the rewards are allocated via out-of-scope mechanisms rather than being automatically distributed to users.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-8993 | Incorrect Logic Prevents Full Withdrawals In claimAllVTHO function | fixed | Low | |
| F-2025-8997 | Redundant and Unused Code in the Updated Codebase Version | fixed | Observation | |
| F-2025-8924 | The UniswapV2Pair Was Modified | fixed | Observation | |
| F-2025-8923 | The Contract UniswapV2Factory Was Modified | fixed | Observation | |
| F-2025-8922 | New div() Functionality Was Introduced In The SafeMath.sol Library | fixed | Observation | |
| F-2025-8921 | New Files Were Added | fixed | Observation | |
| F-2025-8920 | SPDX License Identifier Was Added | fixed | Observation | |
| F-2025-8902 | New Functions Signatures Were Added And Removed From The Interfaces | fixed | Observation | |
| F-2025-8901 | Local Copies of the OpenZeppelin and Uniswap Smart Contracts Were Added | fixed | Observation | |
| F-2025-8900 | StakingModel Contract Was Modified | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 2. Scope
Appendix Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository_1 | https://github.com/the-better-collective/bvet→ |
| Repository_2 | https://github.com/the-better-collective/betterswap-contracts→ |
| Commit_1 | dd674f80b1d69d9549ae0666365a349efc3d6b03 |
| Retest Commit_1 | cb6df85e37a6ca7b41f93d00b6f8d57173513718 |
| Commit_2 | d670bee1b7825cf342a7bd197e8f69845aefd443 |
| Retest Commit_2 | 679340489609b6ae537c880be6e25e6ab774b10e |
| Whitepaper | N/A |
| Requirements | N/A |
| Technical Requirements | N/A |
Scope Details
- Repository_1
- https://github.com/the-better-collective/bvet→
- Commit_1
- dd674f80b1d69d9549ae0666365a349efc3d6b03
- Retest Commit_1
- cb6df85e37a6ca7b41f93d00b6f8d57173513718
- Commit_2
- d670bee1b7825cf342a7bd197e8f69845aefd443
- Retest Commit_2
- 679340489609b6ae537c880be6e25e6ab774b10e
- Whitepaper
- N/A
- Requirements
- N/A
- Technical Requirements
- N/A
Assets in Scope
betterswap-contracts/contracts/uniswap-lib/contracts/libraries/AddressStringUtil.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/Babylonian.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/BitMath.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/FixedPoint.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/FullMath.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/SafeERC20Namer.solbetterswap-contracts/contracts/uniswap-lib/contracts/libraries/TransferHelper.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IERC20.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IStakingModel.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Callee.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2ERC20.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Factory.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IUniswapV2Pair.solbetterswap-contracts/contracts/uniswap-v2-core/contracts/interfaces/IVthoClaimable.sol