Introduction
We express our gratitude to the re.al team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Real DAI is a token built on the Real Network that aims to provide users with a rebase mechanism for their Dai holdings.
| title | content |
|---|---|
| Platform | EVM |
| Language | Solidity |
| Tags | Escrow |
| Timeline | 15/04/2024 - 02/05/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/re-al-Foundation/real-dai→ |
| Commit | e28a8b76f8bee5579528038a153a2163cbd905cf |
Review Scope
- Commit
- e28a8b76f8bee5579528038a153a2163cbd905cf
Audit Summary
10/10
92.31%
10/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for re.al |
| Audited By | , Roman Tiutiun |
| Approved By | Grzegorz Trawinski |
| Website | https://hacken.io→ |
| Changelog | 18/04/2024 - Preliminary Report; 02/05/2024 - Final Report |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for re.al
- Audited By
- , Roman Tiutiun
- Approved By
- Grzegorz Trawinski
- Website
- https://hacken.io→
- Changelog
- 18/04/2024 - Preliminary Report; 02/05/2024 - Final Report
System Overview
Real DAI is a token built on the Real Network that aims to provide users with a rebase mechanism for their Dai holdings with the following contracts:
L1DaiEscrow — implements a smart contract facilitating bridging functionality for DAI and harvested DSR rewards. It enables the seamless transfer of DAI and the harvested DSR rewards across the L2 layer.
L2Dai — the smart contract incorporating the functionality of a rebasing token. It handles the minting of tokens and updates the rebase index based on messages received from Layer 1, ensuring synchronisation and accurate representation of the token's value across layers.
Privileged roles
The owner of the L2Dai contract can set up a manager.
The manager of the L2Dai contract can disable the rebase of the token.
The ESCROWMANAGERROLE of the L1DaiEscrow can set target amount of DAI locked in this smart contract.
The DEFAULTADMINROLE of the L1DaiEscrow can upgrade the implementation.
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
Functional requirements are provided.
Technical description is provided.
Code quality
The total Code Quality score is 10 out of 10.
The code has commented code part and Note comments.
The code has redundant event and constants.
Test coverage
Code coverage of the project is 92.31% (branch coverage).
Deployment and basic user interactions are covered with tests.
Security score
Upon auditing, the code was found to contain 0 critical, 0 high, 1 medium, and 0 low severity issues. Upon the remediation all the issues were fixed leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 9.7. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.
Absence of Upgrade Window Constraints: The contract suite allows for immediate upgrades without a mandatory review or waiting period, increasing the risk of rapid deployment of malicious or flawed code, potentially compromising the system's integrity and user assets.
Dependency on External Logic for Implemented Logic: The implemented L1DaiEscrow, L2Dai logic highly depends on external contracts not covered by the audit. This reliance introduces risks if these external contracts are compromised or contain vulnerabilities, affecting the audited project's integrity.
System Reliance on External Contracts: The functioning of the system significantly relies on specific external contracts. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.
Dependency on Unaudited External Libraries: The project utilizes libraries or contracts without security audits, potentially introducing vulnerabilities. This compromises the security of the audited system, making it susceptible to attacks exploiting these external weaknesses.
Absence of Time-lock Mechanisms for Critical Operations: Without time-locks on critical operations, there is no buffer to review or revert potentially harmful actions, increasing the risk of rapid exploitation and irreversible changes.
Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.
Administrative Key Control Risks: The digital contract architecture relies on administrative keys for critical operations. Centralized control over these keys presents a significant security risk, as compromise or misuse can lead to unauthorized actions or loss of funds.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-1944 | Improper Relay of L2-to-L1 Operations | fixed | Medium | |
| F-2024-1385 | Redundant Constants, Event and Library Import Declaration | fixed | Observation | |
| F-2024-1355 | Missing Zero Address Violation | fixed | Observation | |
| F-2024-2180 | Commented Code Parts And NOTE Comments | fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/re-al-Foundation/real-dai→ |
| Commit | e28a8b76f8bee5579528038a153a2163cbd905cf |
| Whitepaper | n/a |
| Requirements | https://docs.re.al/rwa-token/contracts→ |
| Technical Requirements | https://docs.re.al/rwa-token/contracts→ |
Scope Details
- Commit
- e28a8b76f8bee5579528038a153a2163cbd905cf
- Whitepaper
- n/a
- Requirements
- https://docs.re.al/rwa-token/contracts→
- Technical Requirements
- https://docs.re.al/rwa-token/contracts→