Introduction
We express our gratitude to the Diverse Solutions team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Diverse Solutions is a staking pool that uses a modified AMM mechanism and the exchange rate between ARDM and XARDM is determined by the ratio of the total supply of XARDM to the total amount of ARDM held in the exchange contract.
title | content |
---|---|
Platform | EVM |
Language | Solidity |
Tags | Staking; ERC20 |
Timeline | 20/04/2023 - 15/06/2023 |
Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
---|---|
Repository | https://github.com/DiverseSolutions/ardmoney-staking-smart-contracts→ |
Commit | f9d3dc20fb0b5b5cdf0f46803c9d0a622b260d17 |
Review Scope
- Commit
- f9d3dc20fb0b5b5cdf0f46803c9d0a622b260d17
Audit Summary
10/10
97.29%
9/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
---|---|
Name | Smart Contract Code Review and Security Analysis Report for Diverse Solutions |
Audited By | Hacken |
Website | https://www.dsolutions.mn/→ |
Changelog | 24/04/2023 - Initial Review |
09/05/2023 - Second Review | |
07/06/2024 - Third Review | |
15/06/2023 - Fourth Review |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Diverse Solutions
- Audited By
- Hacken
- Website
- https://www.dsolutions.mn/→
- Changelog
- 24/04/2023 - Initial Review
- 09/05/2023 - Second Review
- 07/06/2024 - Third Review
- 15/06/2023 - Fourth Review
System Overview
Diverse Solutions is a staking pool that uses a modified AMM mechanism and the exchange rate between ARDM and XARDM is determined by the ratio of the total supply of XARDM to the total amount of ARDM held in the exchange contract. The system is explained via the following contracts:
XARDM — an ERC-20 token that does not mint any supply during initialization. Additional minting is allowed and total supply is not capped. It has the following attributes:
Name: xArdMoney
Symbol: XARDM
Decimals: 18
Total supply: Infinite.
XARDMStaking — a staking contract that allows users to deposit ARDM tokens. The staking system runs with the following logic:
Staker gets XARDM tokens in exchange for depositing ARDM. The XARDM amount to get = deposited ARDM amount * (total supply of xARDM / total ARDM in the contract).
Staker withdraws ARDM tokens by paying back the XARDM tokens. The ARDM amount to get = given XARDM amount * (total ARDM in the contract / total supply of xARDM).
Privileged roles
MINTERROLE_ of the XARDM contract can mint an arbitrary amount of tokens to any address.
DEFAULTADMINROLE can grant PAUSERROLE or MINTERROLE to any user.
The owner of the XARDMStaking contract can:
reset the rewards and withdraw deposited ARDM tokens that cross the ratio 1 of ARDM/XARDM.
set a penalty fee and a penalty deadline.
set a treasury address.
pause/unpause withdrawals or deposits.
pause getting a penalty fee.
Recommendations
Add proper NatSpec documentation for the code.
Consider merging XARDM and XARDMStaking into one contract, as both contracts are one system. Consider using the tokenized vault standard.
Provide documentation for the system.
Executive Summary
Documentation quality
The total Documentation quality score is 10 out of 10.
Functional requirements are detailed:
Project overview is detailed.
All roles in the system are described.
NatSpec is present.
Technical description is inadequate:
Technical specification is provided.
NatSpec is sufficient.
Code quality
The total Code quality score is 9 out of 10.
The development environment is configured.
CEI pattern violation is found.
Test coverage
Code coverage of the project is 97.29% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases coverage is partially missed.
Security score
Upon auditing, the code was found to contain 3 critical, 4 high, 2 medium, and 10 low severity issues. Out of these, 15 issues have been addressed and resolved, leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 9.7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
In addition to the XARDMStaking contract, the system owner has the ability to mint an unlimited number of XARDM tokens. This can lead to a potential manipulation of the token price by affecting the token supply.
The smart contract highly depends on the smart contract owners, they can significantly affect the work and logic of the execution of the smart contract.
There is a risk associated with the deposit system as each new deposit resets the user's deadline, regardless of any time already passed from the previous deposit. Therefore, it is important for users to understand that each additional deposit effectively resets the lock period, requiring the user to wait anew for the entire duration until the deadline is reached.
Findings
Code ― | Title | Status | Severity | |
---|---|---|---|---|
F-2023-0028 | Front-Running Attack; Inflation Attack | fixed | Critical | |
F-2023-0027 | Highly Permissive Role Access | fixed | Critical | |
F-2023-0026 | Highly Permissive Role Access | mitigated | Critical | |
F-2023-0032 | Requirements Violation; Race Condition | fixed | High | |
F-2023-0031 | Undocumented Behavior | mitigated | High | |
F-2023-0030 | Highly Permissive Role Access | fixed | High | |
F-2023-0029 | Undocumented Behavior | fixed | High | |
F-2023-0034 | Highly Permissive Role Access | fixed | Medium | |
F-2023-0033 | Unchecked Transfer | fixed | Medium | |
F-2023-0044 | CEI Pattern Violation | mitigated | Low |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
---|---|
Repository | https://github.com/DiverseSolutions/ardmoney-sARDM-staking-contract→ |
Commit | f9d3dc20fb0b5b5cdf0f46803c9d0a622b260d17 |
Whitepaper | Not provided |
Requirements | Provided→ |
Technical Requirements | Provided→ |
Contracts in Scope
contracts/XARDM.sol
contracts/XARDMStaking.sol