- Hacken
- Audits
- paid-network
- [SCA] Paid Network | Token & Ignition Staking | Aug2024
Introduction
We express our gratitude to the PAID Network team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
PAID Network is a decentralized crowdfunding platform allowing users to stake tokens while paying a fee to earn off-chain rewards.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for PAID Network |
| Audited By | Aniruddha Dhumal & Adam Idarrha |
| Approved By | Yves Toiser |
| Website | https://www.paidnetwork.com→ |
| Changelog | 22/08/2024 - Preliminary Report & 29/08/24 - Final Report |
| Platform | Base (EVM) |
| Language | Solidity |
| Tags | ERC20, Staking |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for PAID Network
- Audited By
- Aniruddha Dhumal & Adam Idarrha
- Approved By
- Yves Toiser
- Website
- https://www.paidnetwork.com→
- Changelog
- 22/08/2024 - Preliminary Report & 29/08/24 - Final Report
- Platform
- Base (EVM)
- Language
- Solidity
- Tags
- ERC20, Staking
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/PAIDNetwork/ignition-sc-staking & https://github.com/PAIDNetwork/paid-token-base→ |
| Commit | 8fb39f3 & efc1c92 |
Review Scope
- Commit
- 8fb39f3 & efc1c92
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are partially missed.
Technical description is not provided.
Code quality
The development environment is configured.
Test coverage
Code coverage of the project is 100% (branch coverage).
Deployment, basic user interactions, and fuzz testing are all covered to ensure comprehensive validation of the system.
System Overview
Ignition Staking 2.0 is a staking platform where users receive sPAID tokens on a 1:1 basis for each PAID token staked. To retrieve their PAID tokens, users burn the corresponding sPAID tokens, with a tax applied to both deposits and withdrawals. Rewards are managed off-chain. The platform's contracts are:
PaidToken — simple ERC-20 token that mints all initial supply to the owner. Additional minting is allowed.
It has the following attributes:
Name: PaidNetwork
Symbol: PAID
Decimals: 18
Total supply: 594 717 456 tokens.
SPAID — a contract that mints users sPAID tokens for staking their PaidToken. The rewards are handled off-chain by providing top holders/stakers rewards, airdrops and voting power.
Privileged roles
The owner of the SPAID contract has significant control, including the ability to set taxes on deposit and withdrawals, designate the treasury address that receives these taxed funds, withdraw the entire staked balance at any time. This level of control allows the owner to make critical changes to the protocol at their discretion.
The owner of the PaidToken contract can pause and unpause transfers and also mint an arbitrary amounts of PAID token.
Risks
Centralization Risk: The owner of the SPAID contract holds the authority to withdraw all staked PAID tokens and mint any amount of sPAID tokens. Additionally, the owner owns majority of PAID tokens. This centralization of control poses significant risks, including potential fund mismanagement or theft, particularly if the security of key storage is compromised.
Off-chain Rewards Risk: The rewards for the tokens, including airdrops and voting power, are managed off-chain. This reliance on off-chain handling introduces risks related to transparency and trust, as it depends on off-chain third party.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-5475 | Style guide violation | fixed | Observation | |
| F-2024-5473 | Public Functions That Should Be External | fixed | Observation | |
| F-2024-5472 | Use Ownable2Step rather than Ownable | fixed | Observation | |
| F-2024-5471 | Floating pragma | fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/PAIDNetwork/paid-token-base & https://github.com/PAIDNetwork/ignition-sc-staking→ |
| Commit | efc1c92f58c18788b8e4f932d25d015661d9edec & 8fb39f301dcb35b60e5e4e4429d53ce3bc801b64 |
| Whitepaper | https://paidnetwork.gitbook.io/paid-network→ |
| Requirements | |
| Technical Requirements |
Scope Details
- Commit
- efc1c92f58c18788b8e4f932d25d015661d9edec & 8fb39f301dcb35b60e5e4e4429d53ce3bc801b64
- Requirements
- Technical Requirements