- Hacken
- Audits
- common-wealth
- [SCA] Common Wealth | Vesting | Mar2024
Introduction
We express our gratitude to the Common Wealth team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Common Wealth is a platform that allows users with diverse financial opportunities with advanced staking and investment functionalities.
| title | content |
|---|---|
| Platform | EVM |
| Language | Solidity |
| Tags | Vesting |
| Timeline | 19/03/2024 - 27/03/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/CommonWealthDAO/commonwealth-contracts/tree/audit-data→ |
| Commit | 2c814d1b0589445fad95d35daef87e9c5e60cce0 |
Review Scope
- Commit
- 2c814d1b0589445fad95d35daef87e9c5e60cce0
Audit Summary
10/10
100%
10/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Common Wealth |
| Audited By | Luis Arroyo, Viktor Raboshchuk |
| Approved By | Przemyslaw Swiatowiec |
| Website | common-wealth.io→ |
| Changelog | 29/03/2024 - Preliminary Report |
| 11/04/2024 - Remediation Update |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Common Wealth
- Audited By
- Luis Arroyo, Viktor Raboshchuk
- Approved By
- Przemyslaw Swiatowiec
- Website
- common-wealth.io→
- Changelog
- 29/03/2024 - Preliminary Report
- 11/04/2024 - Remediation Update
System Overview
Common Wealth is an investment protocol that allows users to invest their tokens and get rewards by vesting tokens, by staking or holding NFTs with the following contracts:
GenesisNFTVesting.sol -The contract facilitates the distribution of rewards for Genesis NFT holders. Users holding Series 1 and Series 2 Genesis NFTs can claim their vested rewards according to the vesting schedule.
SimpleVesting.sol - The contract is designed to provide a streamlined approach to token vesting for a single beneficiary. It offers functions for releasing vested tokens, setting the beneficiary address, and withdrawing leftover or surplus tokens.
StakingGenesisNFTVesting.sol - The contract manages the distribution of rewards for Staking Genesis NFTs. Users who hold these NFTs can claim rewards according to the allocation set in the contract.
WhitelistedVesting.sol - The contract allows WLTH tokens to be claimed by multiple addresses defined as whitelist. Actual mechanics agreed on can claim their vested rewards according to the vesting schedule.
interfaces/IGenesisNFTVesting.sol - Interface for managing the vesting of Genesis NFTs and releasing rewards over time.
interfaces/ISimpleVesting.sol - Interface defines functions and structures for managing vesting of tokens, allowing release by specified beneficiaries and setting vesting parameters like start time and duration
interfaces/IStakingGenesisNFTVesting.sol - Interface defines functions and structures for managing vesting of rewards for Staking Genesis NFTs.
interfaces/IWhitelistedVesting.sol
interfaces/IWithdrawal.sol - Interface for contracts that allow withdrawal functionality.
interfaces/IWlth.sol - Interface defines functions for tokens burning logic.
Privileged roles
The owner of the SimpleVesting.sol contract can set actual beneficiary, perform an leftovers withdrawal of remaining rewards, can mark tokens as lost and perform emergency withdrawals for them.
The owner of the GenesisNFTVesting.sol contract can set a bonus reward for specific Series 1 Genesis NFTs, can perform an leftovers withdrawal of remaining rewards, can mark tokens as lost and perform emergency withdrawals for them.
The owner of the StakingGenesisNFTVesting.sol contract can set rewards for users, can perform an leftovers withdrawal of remaining rewards, mark wallets as lost and perform emergency withdrawals for them.
The owner of the WhitelistedVesting.sol contract can distribute tokens for each wallet, can whitelist or de-whitelist chosen wallets, can perform an leftovers withdrawal of remaining rewards, can mark tokens as lost and perform emergency withdrawals for them.
The owner of the StakingGenesisNFT.sol contract can set timestamp by which staking ends.
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
No NatSpec with technical information.
The technical description is provided.
Some function description is missing.
Code quality
The total Code Quality score is 10 out of 10.
Test coverage
Code coverage of the project is 100%.
Security score
Upon auditing, the code was found to contain 1 critical, 1 high, 0 medium, and 5 low severity issues. After remediation part of an audit process, critical and high issues were fixed, 1 low issue was fixed and 4 low issues were accepted, leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 10. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
The functionality for emergency withdrawal by the owner is present in the codebase. The owner has the ability to withdraw all funds using the emergencyWithdraw function in both the GenesisNFTVesting and StakingGenesisNFTVesting contracts.
The missing controls in the setVestingTime function would allow blocking funds by setting wrong dates.
Through malicious use of some functions, it would be possible to withdraw more tokens than expected, allowing a loss of funds from the protocol.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-1704 | The release() function allows users to withdraw all funds | fixed | Critical | |
| F-2024-1639 | Unauthorized calls to setVestingStartTimestamp | fixed | High | |
| F-2024-1866 | Loop over unbounded array may lead to Denial Of Service | accepted | Low | |
| F-2024-1758 | Centralization risk for trusted owners | accepted | Low | |
| F-2024-1687 | Owner can renounce ownership | accepted | Low | |
| F-2024-1686 | Critical changes should use two-step procedure | accepted | Low | |
| F-2024-1655 | Missing checks for the zero address | fixed | Low | |
| F-2024-1868 | Solidity Style Guide violation | fixed | Observation | |
| F-2024-1697 | Event in the setBeneficiary() function emits wrong value | fixed | Observation | |
| F-2024-1695 | Missing limits when setting min/max amounts | fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/CommonWealthDAO/commonwealth-contracts/tree/audit-data→ |
| Commit | 2c814d1b0589445fad95d35daef87e9c5e60cce0 |
| Whitepaper | - |
| Requirements | https://www.notion.so/common-wealth/→ |
| Technical Requirements | https://www.notion.so/common-wealth/→ |
Scope Details
- Commit
- 2c814d1b0589445fad95d35daef87e9c5e60cce0
- Whitepaper
- -
- Requirements
- https://www.notion.so/common-wealth/→
- Technical Requirements
- https://www.notion.so/common-wealth/→