BlastUp

We express our gratitude to the BlastUp team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

BlastUP is a launchpad and staking platform within the Blast blockchain ecosystem.

The system users should acknowledge all the risks summed up in the risks section of the report

BlastUP is a launchpad and staking platform within the Blast blockchain ecosystem with the following contracts:

Launchpad  — The Launchpad contract, built with upgradeable ownership, primarily facilitates the management of token sales on a blockchain platform. It supports different user tiers, each with specific minimum amounts and weights that influence their participation in token sales. The contract interacts with an oracle for pricing conversions and handles registrations, sales, and the claiming of tokens based on sale conditions and user eligibility.  LaunchpadV2  — The 2.0 version of Launchpad contract. Users able to register their tier and allocations according to the staked amount on BLPStaking.sol and Inherits Launchpad.sol. YieldStaking — The contract manages staking through an elaborate system of indexed mappings and struct arrays that track individual and total stakes, including accrued rewards and withdrawal timelines.  Functionally, the contract allows users to deposit tokens into specific pools (USDB and WETH), where these tokens are then "locked" with an associated timer that dictates when they can be withdrawn. Reward calculations are dynamically adjusted through the integration with rebasing mechanisms of the staked tokens, allowing the contract to update the staking index based on the tokens’ new supply metrics after each rebase event.

Privileged roles

• The owner of the Launchpad contract can:

• • Set a new signer address.

  • Set a new operator address.

  • Place tokens for a new sale event.

• The owner and operator  of the Launchpad contract can:

• • Set new amounts for user tiers.

  • Set new weights for user tiers.

  • Set new registration start and end times.

  • Set a new public sale start time.

  • Set new FCFS sale start and end times.

  • Set a new tge start time.

  • Set a new vesting start time.

  • Claim remainders after a sale ends.

• The owner of the YieldStaking contract can:

• • Set the minimum USDB value for stakes.

  • Set the minimum time required before withdrawals can be made .

The total Documentation Quality score is 10 out of 10.

• Functional requirements are partially missed.

• • Use case are provided.

  • System roles are documented.

• Technical description is not provided.

• • Descriptions of the development environment is provided.

  • NatSpec are sufficient.

  • The Launchpad, LaunchpadV2 description is provided.

  • The YieldStaking description is provided.

The total Code Quality score is 9 out of 10.

• The development environment is configured.

• The majority of functions rely on admin actions rather than implementing governance structures for decision-making.

Code coverage of the project is 75%.

• Coverage tool couldn't be run due to errors.

• During the manual inspection, it was identified that unit and fuzz testing are implemented, but integration tests are absent, leading to the oversight of crucial scenarios. For example, in claim fuzz testing, the contract consistently returns zero for user rewards, and fuzz testing successfully claims this zero reward.

Upon auditing, the code was found to contain 0 critical, 0 high, 2 medium, and 9 low severity issues, leading to a security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

The comprehensive audit of the customer's smart contract yields an overall score of 8.8. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository: