Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • diverse-solutions
  • [SCA] Diverse Solutions / Staking / Apr2023
Diverse Solutions logo

Diverse Solutions

Audit name:

[SCA] Diverse Solutions / Staking / Apr2023

Date:

Jun 6, 2023

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Diverse Solutions team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Diverse Solutions is a staking pool that uses a modified AMM mechanism and the exchange rate between ARDM and XARDM is determined by the ratio of the total supply of XARDM to the total amount of ARDM held in the exchange contract.

titlecontent
PlatformEVM
LanguageSolidity
TagsStaking; ERC20
Timeline20/04/2023 - 15/06/2023
Methodologyhttps://hackenio.cc/sc_methodology

    Review Scope

    Repositoryhttps://github.com/DiverseSolutions/ardmoney-staking-smart-contracts
    Commitf9d3dc20fb0b5b5cdf0f46803c9d0a622b260d17

    Audit Summary

    Total9.7/10
    Security Score

    10/10

    Test Coverage

    97.29%

    Code Quality Score

    9/10

    Documentation Quality Score

    10/10

    19Total Findings
    15Resolved
    0Accepted
    4Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for Diverse Solutions
    Audited ByHacken
    Websitehttps://www.dsolutions.mn/
    Changelog24/04/2023 - Initial Review
    09/05/2023 - Second Review
    07/06/2024 - Third Review
    15/06/2023 - Fourth Review
    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for Diverse Solutions
      Audited By
      Hacken
      Changelog
      24/04/2023 - Initial Review
      09/05/2023 - Second Review
      07/06/2024 - Third Review
      15/06/2023 - Fourth Review

    System Overview

    Diverse Solutions is a staking pool that uses a modified AMM mechanism and the exchange rate between ARDM and XARDM is determined by the ratio of the total supply of XARDM to the total amount of ARDM held in the exchange contract. The system is explained via the following contracts:

    • XARDM — an ERC-20 token that does not mint any supply during initialization. Additional minting is allowed and total supply is not capped. It has the following attributes:

      • Name: xArdMoney

      • Symbol: XARDM

      • Decimals: 18

      • Total supply: Infinite.

    • XARDMStaking — a staking contract that allows users to deposit ARDM tokens. The staking system runs with the following logic:

      • Staker gets XARDM tokens in exchange for depositing ARDM. The XARDM amount to get = deposited ARDM amount * (total supply of xARDM / total ARDM in the contract).

      • Staker withdraws ARDM tokens by paying back the XARDM tokens. The ARDM amount to get = given XARDM amount * (total ARDM in the contract / total supply of xARDM).

    Privileged roles

    • MINTERROLE_ of the XARDM contract can mint an arbitrary amount of tokens to any address.

    • DEFAULTADMINROLE can grant PAUSERROLE or MINTERROLE to any user.

    • The owner of the XARDMStaking contract can:

      • reset the rewards and withdraw deposited ARDM tokens that cross the ratio 1 of ARDM/XARDM.

      • set a penalty fee and a penalty deadline.

      • set a treasury address.

      • pause/unpause withdrawals or deposits.

      • pause getting a penalty fee.

    Recommendations

    • Add proper NatSpec documentation for the code.

    • Consider merging XARDM and XARDMStaking into one contract, as both contracts are one system. Consider using the tokenized vault standard.

    • Provide documentation for the system.

    Executive Summary

    Documentation quality

    The total Documentation quality score is 10 out of 10.

    • Functional requirements are detailed:

      • Project overview is detailed.

      • All roles in the system are described.

      • NatSpec is present.

    • Technical description is inadequate:

      • Technical specification is provided.

      • NatSpec is sufficient.

    Code quality

    The total Code quality score is 9 out of 10.

    • The development environment is configured.

    • CEI pattern violation is found.

    Test coverage

    Code coverage of the project is 97.29% (branch coverage).

    • Deployment and basic user interactions are covered with tests.

    • Negative cases coverage is partially missed.

    Security score

    Upon auditing, the code was found to contain 3 critical, 4 high, 2 medium, and 10 low severity issues. Out of these, 15 issues have been addressed and resolved, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the customer's smart contract yields an overall score of 9.7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Risks

    In addition to the XARDMStaking contract, the system owner has the ability to mint an unlimited number of XARDM tokens. This can lead to a potential manipulation of the token price by affecting the token supply.

    The smart contract highly depends on the smart contract owners, they can significantly affect the work and logic of the execution of the smart contract.

    There is a risk associated with the deposit system as each new deposit resets the user's deadline, regardless of any time already passed from the previous deposit. Therefore, it is important for users to understand that each additional deposit effectively resets the lock period, requiring the user to wait anew for the entire duration until the deadline is reached.

    Findings

    Code
    Title
    Status
    Severity
    F-2023-0028Front-Running Attack; Inflation Attack
    fixed

    Critical
    F-2023-0027Highly Permissive Role Access
    fixed

    Critical
    F-2023-0026 Highly Permissive Role Access
    mitigated

    Critical
    F-2023-0032Requirements Violation; Race Condition
    fixed

    High
    F-2023-0031Undocumented Behavior
    mitigated

    High
    F-2023-0030Highly Permissive Role Access
    fixed

    High
    F-2023-0029Undocumented Behavior
    fixed

    High
    F-2023-0034Highly Permissive Role Access
    fixed

    Medium
    F-2023-0033Unchecked Transfer
    fixed

    Medium
    F-2023-0044CEI Pattern Violation
    mitigated

    Low
    1-10 of 19 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/DiverseSolutions/ardmoney-sARDM-staking-contract
    Commitf9d3dc20fb0b5b5cdf0f46803c9d0a622b260d17
    WhitepaperNot provided
    RequirementsProvided
    Technical RequirementsProvided

    Contracts in Scope

    contracts
    XARDM.sol - contracts/XARDM.sol
    XARDMStaking.sol - contracts/XARDMStaking.sol

    Disclaimer