Jellyverse

We express our gratitude to the Jellyverse team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Jellyverse represents an expansive ecosystem within the decentralized finance (DeFi) landscape, managed by its community via a decentralized autonomous organization (DAO). It is dedicated to advancing the latest version of DeFi, often referred to as DeFi 3.0, with a vision to establish a sustainable, yield-focused framework that merges protocols with tangible real-world assets. The platform offers multiple utilities crafted to address diverse financial requirements, all regulated by its native cryptocurrency, JLY.

The governance model of Jellyverse, called Governor, is designed to enable users to steer protocols within its ecosystem effectively. Additionally, it allows new initiatives the opportunity to become part of Jellyverse. The system facilitates a fair allocation of protocol earnings to stakers, positioning it as an attractive option for projects seeking to prosper.

The system users should acknowledge all the risks summed up in the risks section of the report.

Jellyverse is a DeFi platform, managed by the governance, with multiple utilities, such as staking, vesting, native tokens to jelly tokens swapping, with its own JLY ERC20 token implementation, working as governance and utility token.

Chest - staking contract representing user voting power by means of chest. Voting power decreases over time and upon unstaking. DailySnapshot - a contract to store and retrieve daily snapshots blocknumbers per epoch. Governor - it is a decentralised voting for proposals solution. It is assigned to signle Chest instance, to determine stakers voting power. It is modular, can be extended by JellyGovernor and other submodules: GovernorCountingSimple, GovernorSettings, GovernorTimelockControl. GovernorVotes - calculates user's votes based on chests staked. InvestorDistribution - a contract that stakes chests for predefined investors. JellyGovernor - extension of Governor, which specifies voting function and quorum. JellyTimelock - an instance of TimelockController. Connected with governance to execute proposals timely. JellyToken - an ERC20 token representing the main token of Jelly ecosystem. JellyTokenDeployer - a factory contract that allows to deploy JellyToken instace via Create2.  LiquidityRewardDistribution - a contract for distributing liquifity mining rewards. Minter - a contract that mints Jelly tokens timely for beneficiaries.  OfficialPoolsRegister - a registry contract to store and retrieve official DEX pools. PoolParty - a contract for swapping native tokens for jelly tokens. The received payment in USD stable coin is later used to provide liquidity for DEX pool. RewardVesting - a contract designed for claiming vested liquidity. It is used by the LiquidityRewardDistribution.  StakingRewardDistribution - a contract for distributing staking rewards. TeamDistribution - a contract that stakes chests for predefined team members.

Privileged roles

• MINTER_ROLE - in JellyToken contract, this actor could perform initial preminting of tokens to specified addresses, as well as is able to mint JLY tokens through the mint() function

• Owner of Chest contract is able to set arbitrary fee value, which could have negative consequences for users using the platform. However, this address will be manager by governance, so risk of it is much lowered.

• Owner of LiquidityRewardDistribution, as well as StakingRewardDistribution, could change vesting contract address which could be dangerous if replaced with malicious one.

• Owner of PoolParty can set up _ustToJellyRatio arbitrary, which may lead to a situation where this ratio is set very high value, what could be problematic for users using the buyWithUsd() function

The total Documentation Quality score is 10 out of 10.

• Whitepaper is present.

• Functional requirements are covered.

• Technical description are provided for most critical parts..

The total Code Quality score is 9 out of 10.

• Several template code patterns were found.

• Code lacks explanations for more advanced operations and math calculations

Code coverage of the project is 76.5% (branch coverage), with a mutation score of 95.52%.

• Deployment and basic user interactions are covered with tests.

• Edge case scenarios and negative cases coverage are missed somethimes

Upon auditing, the code was found to contain 2 critical, 0 high, 4 medium, and 4 low severity issues.

All identified issues are detailed in the “Findings” section of this report.

After performing the remediation check, it was found that all findings have been resolved or their risk has been accepted, what reflects into 0 pending issues. Therefore, the security score is 10 out of 10..

The comprehensive audit of the customer's smart contract yields an overall score of 9.6. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository: