Common Wealth

We thank Common Wealth for allowing us to conduct a Smart Contract Security Assessment. This document outlines our methodology, limitations, and results of the security assessment.

Common Wealth is a platform that allows users with diverse financial opportunities with advanced staking and investment functionalities.

The system users should acknowledge all the risks summed up in the risks section of the report

Commonwealth is an investment protocol that allows users to invest their tokens and get additional discount by staking NFTs with the following contracts:

Wlth  — simple ERC-20 token that mints all initial supply to a deployer. Additional minting is not allowed.

It has the following attributes:

• Name: not pre-defined

• Symbol: not pre-defined

• Decimals: 18

• Total supply: 1 billion tokens.

Constants — a basic contract that stores BASISPOINTDIVISOR variable.

LibFund — a basic contract that stores state stasus variables.

LibProject — a basic contract that stores ADDED or DEPLOYED status variables.

Utils — a basic contract that is used to do basic math operations and token transfers.

BaseVesting — an abstract contract that allows for the time-based release of allocated tokens over a specified duration, with configurable cadence and permissions for token release..

GenesisNFTVesting — a contract that implements a token vesting system for holders of Genesis NFTs (Non-Fungible Tokens), allowing the release of allocated tokens over a specified duration with configurable cadence, taking into account ownership and staking of different series of Genesis NFTs..

SimpleVesting — a contract that allows the beneficiary address to release allocated tokens periodically over a specified duration. for a specified address

StakingGenNFTVesting — a contract that represents a staking-based vesting system for a specific token. It allows users who have staked Genesis NFTs to release allocated tokens periodically over time, based on their staking rewards obtained from a specified staking contract (StakingGenesisNFT).

GenesisNFT — an ERC-721-compliant contract that incorporates role-based access control, pausability, royalty settings, zkSync integration for minting and burning with notifications to a zkSync mirror.

GenesisNFTmirror — an ERC-721-compatible contract that allows the owner or governor to move and destroy tokens, track token ownership, and manage token balances with functionality for changing the governor and querying balances and ownership details to notify ZK mirror.

InvestmentFund — a contract that allows investors to deposit funds, manage projects, and receive profits based on their participation, while enforcing various conditions such as fund closure and state-specific functionalities. Users own an NFT of equivalent value to their investments and are free to transfer this NFT. They can also choose to split it into several different NFTs of varying values.. Investors are allowed to earn a discount on the profit of up to 10% based on their staked WLTH token amount in the platform. The max fee rate is specified as 40% in the project.

InvestmentFundRegistry  — a management contract that allows the addition, removal, and listing of investment funds by the owner.

InvestmentNFT — a contract that represents an upgradeable ERC-721 token with additional features tailored for investment purposes. It includes functionalities such as pausing, ownership management, minter control, token minting, splitting, and tracking investment values for both individual accounts and the total investment pool.

OwnablePausable — a contract that provides the functionality for ownership management and pausability, allowing the owner to pause and unpause certain operations in the contract

Project — a contract that allows funding the InvestmentFund contract and accepts available tokens from InvestmentFund.

StakingGenesisNFT —  a contract that implements a staking mechanism for small and large NFTs, allowing users to stake and unstake these NFTs within a specified time period, earning rewards based on the staking duration.

StakingWlth — a contract that enables users to stake WLTH tokens for defined durations, earning fee discounts on the profit in InvestmentFund. Stakers can unstake their tokens with potential penalties according to the unstake time. The contract incorporates features, such as pausing, ownership control, and fund registration.

StateMachine — a contract that implements a basic state machine with upgradeability support for the entire platform which restricts or allows access to functions based on the current state.

UniswapQuoter — a contract that initializes the Uniswap quoter and fee tier, and executes swap for the given token addresses and amounts.

UniswapSwapper — a contract that allows executing token swaps using Uniswap V3's ISwapRouter.

Privileged roles

• The owner of the GenesisNFTVesting contract can set the bonus amounts for each Genesis NFT id.

• The owner SimpleVesting contract can set the beneficiary address that will receive the token releases.

• The owner of InvestmentFund contract can add/remove Project addresses, end investing, deploy funds to the contract or close funding,

• The owner of InvestmentFundRegistry can add/remove fund addresses

• The owner of InvestmentNFT contract can set the token URI, add/remove minter role.

• The owner of OwnablePausable contract can pause/unpause the contract,

• The owner of Project contract can set the Vesting address and provide profit to the InvestmentFund.

• The owner of StakingGenesisNFT contract can set the final timestamp for the staking schedule.

• The owner of StakingWlth contract can register/unregister InvestmentFund contract addresses

The total Documentation Quality score is 10 out of 10.

• Functional requirements are provided

• Technical description is provided.

• NatSpec is sufficient.

The total Code Quality score is 10 out of 10.

• The code does follow the Solidity best practices.

Code coverage of the project is 80% (branch coverage).

• The contracts within the tests are not sufficiently interconnected. Instead of running the deployed contracts together, mock contracts have been used to return a specific value.

• Deployment and basic user interactions are covered with tests.

• Interactions by several users are not tested thoroughly.

Upon auditing, the code was found to contain 2 critical, 1 high, 3 medium, and 1 low severity issues, leading to a security score of 9 out of 10. All the issues mentioned in the report are resolved.

All identified issues are detailed in the “Findings” section of this report.

The comprehensive audit of the Customer's smart contract yields an overall score of 8.6 This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository: