[SCA] Muon | ERC20 + ERC721 | Jul2023

Muon

Audit name:

[SCA] Muon | ERC20 + ERC721 | Jul2023

Date:

Aug 8, 2023

Table of Content

→Introduction

→Audit Summary

→Document Information

→System Overview

→Executive Summary

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Muon team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Muon is a stateless decentralized oracle network (DON) that enables dApps to make their off-chain components decentralized. By incorporating Muon, the manner in which decentralized applications store, process, and access data will be fundamentally transformed, redefining the landscape of decentralized systems.

title	content
Platform	EVM
Language	Solidity
Tags	ERC20; ERC721
Timeline	10/07/2023 - 09/08/2023
Methodology	https://hackenio.cc/sc_methodology→

Review Scope
Repository	https://github.com/muon-protocol/muon-tokenomics-contracts→
Commit	78d591d

Review Scope
Repository
https://github.com/muon-protocol/muon-tokenomics-contracts→
Commit
78d591d

Audit Summary

Total9.2/10

Security Score

10/10

Test Coverage

92.86%

Code Quality Score

9/10

Documentation Quality Score

7/10

13Total Findings

7Resolved

0Accepted

3Mitigated

4medium

1low

8observation

!3 Unfixed

The system users should acknowledge all the risks summed up in the risks section of the report

Document Information

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

Document
Name	Smart Contract Code Review and Security Analysis Report for Muon
Audited By	Hacken
Website	https://www.muon.net→
Changelog	17/07/2023 - Initial Review
	09/08/2023 - Second Review

Document
Name
Smart Contract Code Review and Security Analysis Report for Muon
Audited By
Hacken
Website
https://www.muon.net→
Changelog
17/07/2023 - Initial Review
09/08/2023 - Second Review

System Overview

Token – an upgradable, pausable, and burnable ERC20 token smart contract, with specific roles for pausing the contract and minting new tokens.
BondedToken – a custom implementation of an ERC721 (non-fungible token) smart contract that provides functionalities for minting, burning, and transferring tokens. Additionally, it has unique features such as token whitelisting, locking of assets in tokens, as well as splitting and merging tokens while maintaining locked assets.
PION – an ERC20 token based on Token. It has the following attributes:
- Name: PioneerNetwork
- Symbol: PION
- Decimals: 18
- Total supply: unlimited
BondedPION – an ERC721 token based on BondedToken. IToken – an interface for ERC20 tokens.

Privileged roles

Token.sol:
- Admin:
- - Manage other roles throughout users.
- Pauser:
- - Pause and unpause smart contract.
- Minter:
- - Mint unlimited amount of tokens.
BondedToken.sol:
- Owner:
- - Pause and unpause smart contract. Set tokens whitelist, enable/disable public transfers, set treasury address.
- Admin:
- - Manage other roles throughout users.
- Transferable address:
- - Users with only this role can receive and send tokens.

Executive Summary

Documentation quality

The total Documentation quality score is 7 out of 10.

Functional requirements have some gaps:
- No roles description.
- Project overview is detailed.
- All interactions are described.
Technical description is inadequate:
- Run instructions are provided.
- NatSpec is sufficient.

Code quality

The total Code quality score is 9 out of 10.

Best practice violations.

Test coverage

Code coverage of the project is 92.86%.

Tests are provided.
Negative cases coverage is present.
Interactions by several users are tested.

Security score

Upon auditing, the code was found to contain 0 critical, 0 high, 4 medium, and 1 low severity issues. Out of these, 2 issues have been addressed and resolved, leading to a Security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

Summary

The comprehensive audit of the customer's smart contract yields an overall score of 9.2. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

Scoring Methodology

Risks

No potential security risks were found during the audit research.

Findings

Code ―	Title	Status	Severity
F-2023-0245	CEI Pattern Violation	mitigated	Medium
F-2023-0244	Missing Storage Gaps	mitigated	Medium
F-2023-0243	Coarse-Grained Authorization Model; Inefficient Gas Modeling	mitigated	Medium
F-2023-0242	Denial of Service; Inefficient Gas Modeling	fixed	Medium
F-2023-0246	Missing Events	fixed	Low
I-2023-0067	Missing Event Indexes	unfixed	Observation
I-2023-0066	Unnecessary Value Assignment	fixed	Observation
I-2023-0065	Inefficient Gas Modeling	fixed	Observation
I-2023-0064	Solidity Style Guide Violation: mixedCase in State Variables Names	fixed	Observation
I-2023-0063	Boolean Equality	fixed	Observation

1-10 of 13 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Severity	Description
Critical	Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
High	High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Medium	Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Low	Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Severity
Critical
Description
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
High
Description
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
Medium
Description
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
Low
Description
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details
Repository	https://github.com/muon-protocol/muon-tokenomics-contracts→
Commit	78d591d
Whitepaper	Provided→
Requirements	Provided→
Technical Requirements	Provided→

Scope Details
Repository
https://github.com/muon-protocol/muon-tokenomics-contracts→
Commit
78d591d
Whitepaper
Provided→
Requirements
Provided→
Technical Requirements
Provided→

Contracts in Scope

contracts

BondedPION.sol - contracts › BondedPION.sol

BondedToken.sol - contracts › BondedToken.sol

PION.sol - contracts › PION.sol

Token.sol - contracts › Token.sol

interfaces

IToken.sol - contracts › interfaces › IToken.sol

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Hacken Extractor