Hesty

We express our gratitude to the Hesty team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Hesty is a transparent and secure marketplace for real estate projects that aims to democratize real estate investment.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are provided.

• Technical description is provided.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is 62.82% (branch coverage).

Hesty is a decentralized platform providing a transparent marketplace for real estate investment. Using a series of smart contracts on the BASE blockchain, Hesty facilitates property fundraising, token issuance, referral rewards, and dividend distributions. The system consists of multiple specialized contracts, each with distinct roles, to manage and secure the investment process.

Hesty Router:

• Purpose: Manages the interface between on-chain and off-chain transactions. Since Hesty operates under regulatory constraints, fiat-to-crypto transactions must be handled through a custodian. The router ensures funds from the custodian are received securely, while Hesty admins manually synchronize on-chain token allocations for off-chain fiat investments.

• Core Functions:

• • adminDistribution: Distributes rewards paid in fiat (converted to EURC) to property token holders.

  • offChainBuyTokens: Allows Hesty admins to assign property tokens for off-chain fiat purchases, ensuring parity between on-chain and off-chain investments.

Token Factory:

• Purpose: Manages the creation and distribution of property tokens that represent shares in real estate projects. Token Factory is also responsible for tracking fund amounts, handling fees, and supporting the claim-back process if a fundraise fails.

• Core Functions:

• • createProperty: Allows property owners to issue a new property token with a fixed supply, representing shares in the property.

  • buyTokens: Enables users to buy property tokens using EURC. Investment fees and referral fees are calculated here.

  • completeRaise: Finalizes the property raise if the target is met, distributing funds to the property owner and the platform treasury.

  • recoverFundsInvested: Allows users to reclaim investments if the fundraising threshold is not met by the deadline.

Property Token:

• Purpose: The token contract that represents ownership shares in a property. These tokens are non-mintable and track dividends and revenue distributions for investors.

• Core Functions:

• • claimDividends: Distributes accrued dividends to token holders based on their balance.

  • transfer and transferFrom Overrides: These functions are customized to enforce KYC and blacklist compliance and to distribute accrued dividends to holders upon transfer.

Referral System:

• Purpose: Tracks referral rewards, the number of referrals, and total referral earnings. The Referral System contract is designed to incentivize user referrals and manage referral-based reward distribution.

• Core Functions:

• • addRewards: Allocates referral rewards to referrers based on user investments.

  • claimPropertyRewards: Allows referrers to claim earned rewards specific to each property.

  • claimGlobalRewards: Lets referrers claim rewards that are not tied to a specific property.

Hesty Access Control:

• Purpose: Manages user roles and permissions across the Hesty platform, enforcing KYC and blacklist compliance for users.

• Roles Managed:

• • Admin: Has comprehensive control over key contract functions, including completing and canceling property raises.

  • Funds Manager: Oversees fund transfers, particularly in the Hesty Router.

  • Blacklist Manager: Can add or remove users from a blacklist, preventing them from engaging in transactions.

  • KYC Manager: Approves KYC for users, allowing them to participate in investments.

  • Pauser: Has permission to pause all Hesty contracts in case of emergency.

Constants:

• Purpose: A contract containing fixed values and role definitions shared across all Hesty contracts. Constants improve maintainability by centralizing configuration values, such as BASIS_POINTS, MULTIPLIER, and role definitions (e.g., BLACKLIST_MANAGER, FUNDS_MANAGER).

Privileged roles

Admin:

• Description: The Admin role has the highest level of authority in the Hesty system, allowing comprehensive control over critical functions, such as finalizing raises, cancelling projects, and updating configuration parameters.

• Permissions:

• • Execute completeRaise to finalize a fundraise and distribute funds if the target is met.

  • Execute cancelRaise to halt a fundraise and initiate the refund process if the raise is unsuccessful.

  • Set or modify key parameters, such as platform fees and referral fees.

  • Add or remove other privileged roles in the Hesty Access Control contract.

Funds Manager:

• Description: The Funds Manager oversees fund transfers and distribution functions, particularly for off-chain and custodial transactions handled by the Hesty Router.

• Permissions:

• • Call adminDistribution to distribute rewards for off-chain investments that have been converted into EURC.

  • Call adminBuyTokens in the Token Factory to issue tokens for users who invested with fiat currency, ensuring on-chain and off-chain investment parity.

Blacklist Manager:

• Description: The Blacklist Manager role enforces compliance by restricting access for users identified as blacklisted, preventing them from participating in transactions on the Hesty platform.

• Permissions:

• • Add addresses to the blacklist, effectively blocking them from future investments or token transactions.

  • Remove addresses from the blacklist when appropriate, allowing them to reengage with the platform.

KYC Manager:

• Description: The KYC (Know Your Customer) Manager role is responsible for ensuring that users meet KYC requirements before they can invest or interact with Hesty’s financial operations. This role is essential for regulatory compliance.

• Permissions:

• • Approve a user’s KYC status with approveUserKYC, granting them permission to participate in investments.

  • Revoke KYC approval if the user no longer meets compliance requirements or upon identifying suspicious activity.

  • Execute approveKYCOnly to confirm a user’s KYC status without triggering any associated actions (e.g., token transfers).

Pauser:

• Description: The Pauser role has the authority to halt and resume contract functionality, primarily as a security measure in response to potential vulnerabilities, attacks, or other emergencies.

• Permissions:

• • Call pause on the Hesty Access Control contract to temporarily disable all operations within the Hesty ecosystem.

  • Call unpause to resume standard operations once the security concern is resolved.

Property Owner:

• Description: Although not a general platform privilege, the Property Owner role has special permissions in the Token Factory contract, primarily associated with issuing property tokens and managing property-specific parameters.

• Permissions:

• • Call createProperty to initiate a new property raise and issue property tokens.

  • Set specific parameters for their property’s token issuance and token pricing.

The scope of the project includes the following smart contracts from the provided repository: