[SCA] SG Forge / SmartCoin / May2024

Societe Generale Forge (SG Forge)

Audit name:

[SCA] SG Forge / SmartCoin / May2024

Date:

Jun 12, 2025

Table of Content

→Introduction

→Audit Summary

→Document Information

→System Overview

→Executive Summary

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Societe Generale Forge (SG Forge) team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

title	content
Platform	EVM
Language	Solidity
Tags	ERC20
Methodology	https://hackenio.cc/sc_methodology→

Changelog: 06/06/2024 (2nd Review); 12/06/2025 (3rd Review)

Review Scope
Repository	Shared privately
Commit	1c3697243fa64e2d3b01ef516be53063bc1a7d10

Review Scope
Repository
Shared privately
Commit
1c3697243fa64e2d3b01ef516be53063bc1a7d10

Audit Summary

6Total Findings

3Resolved

2Accepted

1Mitigated

1medium

1low

4observation

The system users should acknowledge all the risks summed up in the risks section of the report

Document Information

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

Document
Name	Smart Contract Code Review and Security Analysis Report for Societe Generale Forge (SG Forge)
Audited By	Carlo Parisi
Approved By	Przemyslaw Swiatowiec
Website	https://www.sgforge.com/product/coinvertible/→
Changelog	24/05/2024 - Preliminary Report
	06/06/2024 - 2nd Review Report
	12/06/2025 - 3rd Review Report (Done By Oleksii Haponiuk)

Document
Name
Smart Contract Code Review and Security Analysis Report for Societe Generale Forge (SG Forge)
Audited By
Carlo Parisi
Approved By
Przemyslaw Swiatowiec
Website
https://www.sgforge.com/product/coinvertible/→
Changelog
24/05/2024 - Preliminary Report
06/06/2024 - 2nd Review Report
12/06/2025 - 3rd Review Report (Done By Oleksii Haponiuk)

System Overview

SMART_COIN is an ERC20, with the following contracts:

SmartCoin — ERC20 extended with:
- UUPS upgrade mechanism
- Operator Roles: registrar, operations, technical. These roles are introduced to manage the upgrade to new implementations and control transfers of tokens amongst these roles.
EncodingUtils - a library that has the functionality to compute the hash of transfer requests
AccessControlUpgradeable - an abstract contract that handles the access control for the SmartCoin contract.

Privileged roles

Registrar operator:
- Manages Whitelist of authorized users.
- Validates/Rejects transfers to registrar and operations operators.
- Names the operators for the new implementation.
- Authorizes the upgrade to the next implementation.
- Cannot be used as spender or destination of transferFrom().
- Can retrieve tokens from any address to itself.
- Can mint and burn SmartCoin tokens.
Operations operator:
- Cannot be used as spender or destination of transferFrom().
- Transfers to operations must be validated by the registrar.
Technical operator:
- Launches a previously authorized (by registrar) implementation upgrade.

Executive Summary

This report presents an in-depth analysis and scoring of the customer's smart contract project.

Documentation quality

Functional requirements are mostly provided.
Technical description is not provided.
NatSpec is sufficient.

Code quality

Gas consumption could be optimized.

Test coverage

Code coverage of the project is 95.45% (branch coverage).

Security score

Upon auditing, the code was found to contain 0 critical, 0 high, 1 medium, and 1 low severity issues.

All identified issues are detailed in the “Findings” section of this report.

Risks

SmartCoin is an ERC20 token that has centralized features, the tokens can be frozen or burned by the admins of the protocol.

This audit covers the SmartCoin.sol contract, which is designed to be upgradeable. However, the audit does not cover the reliability of the first version (v1) of the contract, future versions, or potential mistakes that could be made by the admin during the upgrade process. This limitation could leave potential vulnerabilities undetected in the contract's lifecycle.

Findings

Code ―	Title	Status	Severity
F-2024-3285	Use of constructor in upgradeable contract	mitigated	Medium
F-2024-3306	Asset wiping in wipeFrozenAddress function	accepted	Low
F-2024-3305	Incorrect comment in ISmartCoin.sol	fixed	Observation
F-2024-3304	Redundant gas consumption in pause and unpause functions	accepted	Observation
F-2024-3284	Redundant gas consumption in decreaseAllowance function	fixed	Observation
F-2024-3283	Unnecessary gas consumption in wipeFrozenAddress function	fixed	Observation

1-6 of 6 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Severity	Description
Critical	Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
High	High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Medium	Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Low	Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Severity
Critical
Description
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
High
Description
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
Medium
Description
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
Low
Description
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details
Repository	Shared privately
Commit	1c3697243fa64e2d3b01ef516be53063bc1a7d10
Whitepaper	-
Requirements	-
Technical Requirements	-

Scope Details
Repository
Shared privately
Commit
1c3697243fa64e2d3b01ef516be53063bc1a7d10
Whitepaper
-
Requirements
-
Technical Requirements
-

Contracts in Scope

libraries

EncodingUtils.sol - libraries/EncodingUtils.sol

smartCoin

ISmartCoin.sol - smartCoin/ISmartCoin.sol

IAccessControl.sol - smartCoin/IAccessControl.sol

SmartCoinDataLayout.sol - smartCoin/SmartCoinDataLayout.sol

SmartCoin.sol - smartCoin/SmartCoin.sol

AccessControlUpgradeable.sol - smartCoin/AccessControlUpgradeable.sol

AccessControlDataLayout.sol - smartCoin/AccessControlDataLayout.sol

Disclaimer

Hacken Disclaimer

Technical Disclaimer

Hacken Extractor