Audit name:
[SCA] FWB / Migration-Contracts / June2024
Date:
Jul 1, 2024
Table of Content
Introduction
We express our gratitude to the FWB team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The FWB Migration Contracts facilitate the migration of FWB tokens from Ethereum mainnet to a token to be deployed on the Base network.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for FWB |
| Audited By | Olesia Bilenka |
| Approved By | Przemyslaw Swiatowiec |
| Website | https://www.fwb.help/→ |
| Changelog | 21/06/2024 - Preliminary Report |
| 01/07/2024 - Final Report | |
| Platform | Ethereum Mainnet, Base Mainnet |
| Language | Solidity |
| Tags | Bridge |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for FWB
- Audited By
- Olesia Bilenka
- Approved By
- Przemyslaw Swiatowiec
- Website
- https://www.fwb.help/→
- Changelog
- 21/06/2024 - Preliminary Report
- 01/07/2024 - Final Report
- Platform
- Ethereum Mainnet, Base Mainnet
- Language
- Solidity
- Tags
- Bridge
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/friends-with-benefits/migration-contracts→ |
| Commit | 4feb7a9 |
Review Scope
- Commit
- 4feb7a9
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are provided.
Technical description is provided.
Documentation is comprehensive.
Code quality
The code follows best practices and official Solidity style guide.
The development environment is configured.
Test coverage
Code coverage of the project is 100% (branch coverage).
Deployment and user interactions are covered with tests.
Some negative cases are not tested.
System Overview
The FWB Migration Contracts facilitate the migration of FWB tokens from Ethereum mainnet to a token to be deployed on the Base network.
MigrationManager - is a contract that facilitates the deposit of $FWB tokens on the Ethereum mainnet. Users can deposit $FWB tokens, specifying either their own address or another address as the recipient of the Base $FWB tokens. The contract records the deposit details, including the depositor's and recipient's addresses, the amount deposited, and the timestamp. Additionally, the contract allows the owner to burn a specified amount of tokens.
MigrationDistributor - is a contract that facilitates the transfer of Base $FWB tokens to users who have locked their tokens in the Migration Manager contract on the Ethereum mainnet. The Migration Recorder records deposit details, including the recipient's address and the deposited amount. After a specified transfer delay, the Migration Processor distributes the corresponding Base $FWB tokens to the recipients based on a conversion rate.
Privileged roles
The owner of the MigrationManager contract can burn tokens.
The owner of the MigrationDistributor contract can set the transfer delay, migration recorder, and migration processor.
The Migration Recorder of the MigrationDistributor contract can record deposit details.
The Migration Processorof the MigrationDistributor contract can distribute tokens based on recorded deposits.
Risks
Owner's Unrestricted State Modification: The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations like minting phases.
Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-3995 | Risk of Ownership Control Loss in Owner-Dependent Contracts | fixed | Low | |
| F-2024-4002 | Redundant Comparisons to Boolean Values | fixed | Observation | |
| F-2024-3996 | Floating Pragma | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/friends-with-benefits/migration-contracts→ |
| Commit | 4feb7a9830f57a63a3afa9a8c6b9ab145c812f45 |
| Whitepaper | https://docs.google.com/document/d/1wayWYGoiTAY1nBJl_Mde918Rh9dAR2lWGNB0YqBepNY/→ |
Scope Details
- Commit
- 4feb7a9830f57a63a3afa9a8c6b9ab145c812f45
Contracts in Scope
src/MigrationDistributor.solsrc/MigrationManager.solsrc/IFWBToken.sol