Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • gamic
  • [SCA] Gamic / Gamic-Airdrop / Dec2024
Gamic logo

Gamic

Audit name:

[SCA] Gamic / Gamic-Airdrop / Dec2024

Date:

Jan 2, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Gamic team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Gamic is a decentralized messaging platform for people and communities looking to engage with Web3 products and services.

Document

NameSmart Contract Code Review and Security Analysis Report for Gamic
Audited BySeher Saylik
Approved ByAtaberk Yavuzer
Websitehttps://gamic.app/
Changelog26/12/2024 - Preliminary Report
Changelog02/01/2025 - Final Report
PlatformBase
LanguageSolidity
TagsAirdrop, ERC20, Staking
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for Gamic
    Audited By
    Seher Saylik
    Approved By
    Ataberk Yavuzer
    Website
    https://gamic.app/
    Changelog
    26/12/2024 - Preliminary Report
    Changelog
    02/01/2025 - Final Report
    Platform
    Base
    Language
    Solidity
    Tags
    Airdrop, ERC20, Staking
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/Artist3-NFT/gamic-airdrop
Commitd4020cb

Audit Summary

11Total Findings
8Resolved
3Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are partially missed.

  • Technical description is provided.

Code quality

  • The code contains some Gas-inefficient usages that might lead to DoS.

  • The development environment is configured.

Test coverage

Code coverage of the project is 54.98% (branch coverage),

  • Some negative cases coverage is missed.

  • Deployment and basic user interactions are covered with tests.

  • Interactions by several users are tested.

System Overview

Gamic is a decentralized token system with points-based airdrop and staking functionality with the following contracts:

AirdropVault  — manages token distribution and staking for the Gamic ecosystem by allowing users to stake tokens and claim rewards based on their points allocation in defined airdrops. It provides functionality to create and deactivate airdrops, initialize user allocations, handle token staking, reward claims, and stake withdrawals,

GamicPoints  — is a gas-efficient system for distributing and managing points in the Gamic ecosystem using Merkle proofs

GamicToken  — ERC20 token that integrates mechanisms for pausing operations, managing minter roles, and supporting cross-chain minting and burning.

  • Name: Gamic

  • Symbol: GNG

  • Decimals: 18

  • Total supply: 10000000_000 tokens.

Privileged roles

  • The owner of the AirdropVault can pause/unpause the contract, create an airdrop, deactivate an airdrop,

  • The owner of the GamicPoints contract can claim ecosystem rewards, update Merkle root, and pause/unpause the contract.

  • The owner of the GamicToken contract can queue the minter grant, execute the minter grant,  revoke the existing minter, pause operations, renounce or transfer ownership, and recover any ERC20 tokens.

Potential Risks

The owner has the ability to update the Merkle root to any arbitrary value, which could allow the owner to include unauthorized or unintended entries in Merkle tree-based validation processes.

The SUPERCHAIN_TOKEN_BRIDGE address can burn tokens from any user's account, creating a risk of misuse or unauthorized token destruction.

The AirdropVault contract does not include a mechanism to delete expired or inactive stakes from the userStakes mapping after withdrawal, causing the array to grow indefinitely with both active and inactive data. This may result in excessive storage usage, increased gas costs, and degraded performance for functions interacting with the mapping.

Findings

Code
Title
Status
Severity
F-2024-7928Disproportional Reward Allocation in Incremental Staking
fixed

High
F-2024-7932Potential Exploit Due to Premature and Unauthorized Initialization of Allocation Points
fixed

High
F-2024-7931Misleading Documentation Regarding Flexible Staking Durations
fixed

Medium
F-2024-7933Lack of Enforcement for Total Points Consistency in Merkle Root Distribution
fixed

Medium
F-2024-7927 Insufficient Allocation Tracking Across Multiple Airdrops
fixed

Medium
F-2024-7923Locked Funds Due to Premature Airdrop Deactivation
fixed

Medium
F-2024-7876Incorrect Pause Logic Leads to Overlapping Flag Behavior
fixed

Medium
F-2024-7926Lack of Emergency Withdrawal Mechanism in withdrawStake()
fixed

Low
F-2024-7934Redundant Storage Usage in View Functions
accepted

Observation
F-2024-7930Redundant Overflow Checks in stake and withdrawStake Functions
accepted

Observation
1-10 of 11 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://github.com/Artist3-NFT/gamic-airdrop
Commitd4020cba93a8fd348f998f93e1239232a95c893e, Retest: 1bdfc6df415ec1bcc08ebc15d19f38b6105008ab
WhitepaperN/A
RequirementsREADME
Technical RequirementsREADME

Assets in Scope

src
AirdropVault.sol - src/AirdropVault.sol
GamicPoints.sol - src/GamicPoints.sol
GamicToken.sol - src/GamicToken.sol

Appendix 3. Additional Valuables

Verification of System Invariants

During the audit of Gamic / Gamic-Airdrop, Hacken followed its methodology by performing fuzz-testing on the project's main functions. Foundry , a tool used for fuzz-testing, was employed to check how the protocol behaves under various inputs. Due to the complex and dynamic interactions within the protocol, unexpected edge cases might arise. Therefore, it was important to use fuzz-testing to ensure that several system invariants hold true in all situations.

Fuzz-testing allows the input of many random data points into the system, helping to identify issues that regular testing might miss. A specific Echidna fuzzing suite was prepared for this task, and throughout the assessment, 6 invariants were tested over 10,000 runs. This thorough testing ensured that the system works correctly even with unexpected or unusual inputs.

Invariant

Test Result

Run Count

AirdropVault::stake Stakes to invalid airdrops should revert.Passed10k
AirdropVault::stake A consistent reward should be calculated for multiple stakes.Passed10k
AirdropVault::claimRewards Claiming rewards should be okay when partial stakes are placed.Passed10k
AirdropVault::claimRewards The reward calculated should be changed correctly based on the stake amount.Passed10k
GamicPoints:claim Invalid Merkle proof attempts should fail.Passed10k
GamicToken::pauseOperations Must not accept invalid flagsPassed10k

  • Invariant

    AirdropVault::stake Stakes to invalid airdrops should revert.

    Test Result

    Passed

    Run Count

    10k

    Invariant

    AirdropVault::stake A consistent reward should be calculated for multiple stakes.

    Test Result

    Passed

    Run Count

    10k

    Invariant

    AirdropVault::claimRewards Claiming rewards should be okay when partial stakes are placed.

    Test Result

    Passed

    Run Count

    10k

    Invariant

    AirdropVault::claimRewards The reward calculated should be changed correctly based on the stake amount.

    Test Result

    Passed

    Run Count

    10k

    Invariant

    GamicPoints:claim Invalid Merkle proof attempts should fail.

    Test Result

    Passed

    Run Count

    10k

    Invariant

    GamicToken::pauseOperations Must not accept invalid flags

    Test Result

    Passed

    Run Count

    10k

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Disclaimer