Audit name:
[SCA] Soil / Pools / Aug2024
Date:
Sep 18, 2024
Table of Content
Introduction
We express our gratitude to the Soil.co team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Soil is a DeFi system aiming to provide users the ability to lend funds.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Soil.co |
| Audited By | Olesia Bilenka |
| Approved By | Ataberk Yavuzer |
| Website | https://soil.co/→ |
| Changelog | 13/09/2024 - Preliminary Report |
| 18/09/2024 - Final Report | |
| Platform | Polygon, Ethereum |
| Language | Solidity |
| Tags | Real World Assets (RWA), Signatures, Yield Farming, Centralization, DeFi |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Soil.co
- Audited By
- Olesia Bilenka
- Approved By
- Ataberk Yavuzer
- Website
- https://soil.co/→
- Changelog
- 13/09/2024 - Preliminary Report
- 18/09/2024 - Final Report
- Platform
- Polygon, Ethereum
- Language
- Solidity
- Tags
- Real World Assets (RWA), Signatures, Yield Farming, Centralization, DeFi
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://gitlab.nextrope.com/client/soil/soil-blockchain→ |
| Commit | 3ff7c31 |
Review Scope
- Commit
- 3ff7c31
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are provided.
Technical description is provided.
The documentation contains mistakes that misrepresent the project requirements.
Code quality
The code follows best practices.
The development environment is configured.
The contract contains redundant functionality that could be streamlined.
Test coverage
Code coverage of the project is 82.78% (branch coverage).
Basic user interactions are covered with tests.
Some tests for access controls are missing.
Tests for certain conditional functionality are missing.
System Overview
Soil is a DeFi system with the following contracts:
PoolsContractV2 - is a pool contract that manages token deposits, withdrawals, and rewards distribution. All user actions, such as deposits, withdrawals, and claiming rewards, are authorized through backend-generated signatures. The contract supports various pools with parameters like hardCap, softCap, and APRs, divided into two types: non-short and short pools.
Non-short pools have a defined end time and follow a standard withdrawal process, allowing users to withdraw both their tokens and rewards. Short pools, on the other hand, may not have an end time and have a different withdrawal process. Tokens in short pools can only be unlocked, and users cannot withdraw unless their tokens are unlocked.
Admins manage pool settings, control rewards, and users can interact with the contract to deposit, withdraw, redeposit rewards, claim rewards, or upgrade to higher-APR pools.
PoolsValidator — is a contract which provides functions for PoolsContractV2 contract operations validation.
ProtocolSettings — is a contract which provides access control mechanism used to manage administrative roles and the backend signer.
VerifySignatureSystemV2 - is an abstract contract that is inherited by the PoolsValidator contract and provides functionality for verifying backend signatures.
PoolsContractCCIPSharedStructs - is a library which provides structs used in the project,
Privileged roles
The admin of PoolsContractV2 can set soil token if it has not been set, create and update (start date, end date, and hard cap) pools, change pool fees, withdraw fees, change soil and other tokens rewards limit, withdraw tokens from the contract, send rewards from rewards holders to the contract, allowlist or disallow tokens.
The admin of PoolsValidator can allow and disallow adresses to call the validation functions.
The ADMIN_ROLE of the ProtocolSettings allows to update backend signer.
Potential Risks
Scope Definition and Security Guarantees: The audit does not cover all code in the repository. Contracts outside the audit scope may introduce vulnerabilities, potentially impacting the overall security due to the interconnected nature of smart contracts.
Owner's Unrestricted State Modification: The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations.
Absence of Time-lock Mechanisms for Critical Operations: Without time-locks on critical operations, there is no buffer to review or revert potentially harmful actions, increasing the risk of rapid exploitation and irreversible changes.
Potential Misuse of Rewards Holders' Tokens During Deposit: Within the PoolsContractV2 contract, users who agree to become reward holders may have their rewards withdrawn by the admin based on the given allowance. As a result, if a user who has agreed to be a reward holder decides to deposit tokens and gives approval for this, these tokens may be used for rewards distribution
Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation. User actions in the pool, such as deposits, withdrawals, and rewards claims, are executed through backend-generated signatures. This introduces a risk of centralized control over user deposits and rewards, as the backend system holds full authority over these actions. The rewards are not calculated within the contract but are instead determined off-chain and provided via signatures from the backend, further concentrating control outside of the contract itself. This setup could potentially lead to issues if the backend is compromised or mismanaged, as the entire system relies heavily on the integrity of the backend's operations.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2025-1059 | Lack of Signature Deadline Validation in Unlock Tokens and Redeposit Validation | fixed | Medium | |
| F-2025-1059 | Centralization Risk Leading to Potential Unauthorized Withdrawal of Users' Funds | mitigated | Medium | |
| F-2025-1060 | Token Withdrawal Failure Risk Due to Insufficient Reward Balance | fixed | Low | |
| F-2025-1059 | Inability of Pool Hard Cap Adjustment to Zero Due to Incorrect Verification | fixed | Low | |
| F-2025-1059 | Missing Zero Address Checks in Token Receiver Addresses | fixed | Observation | |
| F-2025-1059 | Redundant Comparisons to Boolean Values | fixed | Observation | |
| F-2025-1059 | Violation of Checks-Effects-Interactions Pattern | fixed | Observation | |
| F-2025-1059 | Missing Event for Soil Token Update | fixed | Observation | |
| F-2025-1059 | State Variables That Should Be Immutable | fixed | Observation | |
| F-2025-1059 | Unnecessary Checks in Rewards Claiming and Deposit | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Potential Risks
The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://gitlab.nextrope.com/client/soil/soil-blockchain→ |
| Commit | 3ff7c314e1ed2635a82b4762dff075eabf5e433b |
| Whitepaper | https://docs.google.com/document/d/1iDViDEwVRsdim1fR3cBIaRhJa6EoAkdy8R1MCImHhfA/→ |
Scope Details
- Commit
- 3ff7c314e1ed2635a82b4762dff075eabf5e433b
Contracts in Scope
contracts/PoolsContractV2.solcontracts/PoolsValidator.solcontracts/ProtocolSettings.solcontracts/VerifySignatureSystemV2.solcontracts/libraries/PoolsContractSharedStructs.sol