Introduction
We express our gratitude to the SquidGrow team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
SquidGrow's Ecosystem has multiple products including a DEX, NFT Marketplace, & Liquidity Locker. Ecosystem supports Ethereum, & Binance Smart Chain.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for SquidGrow |
| Audited By | Kornel Światłowski |
| Approved By | Przemyslaw Swiatowiec |
| Website | https://www.squidgrow.com/→ |
| Changelog | 30/08/2024 - Preliminary Report; 03/09/2024 - Final Report |
| Platform | Ethereum, BSC |
| Language | Solidity |
| Tags | ERC20 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for SquidGrow
- Audited By
- Kornel Światłowski
- Approved By
- Przemyslaw Swiatowiec
- Website
- https://www.squidgrow.com/→
- Changelog
- 30/08/2024 - Preliminary Report; 03/09/2024 - Final Report
- Platform
- Ethereum, BSC
- Language
- Solidity
- Tags
- ERC20
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope | |
|---|---|
| Repository | https://github.com/shibtoshi/SquidGrowV3-Token→ |
| Commit | 0f0f9f748515b896a1a1bbea04e7ff69e0a570a0 |
Review Scope
- Commit
- 0f0f9f748515b896a1a1bbea04e7ff69e0a570a0
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are present, but only in a limited capacity.
Technical description is not provided.
Code quality
Insufficient Gas modeling.
The development environment is configured.
Test coverage
Code coverage of the project is 30% (branch coverage).
Negative cases coverage is missing. Some functions are not covered with test.
System Overview
The SquidGrow smart contract implements a custom ERC20 token, "SQGROW," with additional security and control features. It includes role-based access control to manage key functionalities, such as enabling trading, pausing transfers, and managing a whitelist. The contract enforces strict conditions on when trading can be initiated and includes mechanisms to pause trading under specific circumstances. It also allows for certain addresses to be whitelisted, enabling them to trade even when the contract is paused. All initial supply is minted to a deployer. Additional minting is not allowed. It has the following attributes:
Name: SquidGrow
Symbol: SQGROW
Decimals: 9
Total supply: 1000000_000.
Privileged roles
There is a privileged role defined by the AccessControl mechanism, specifically the DEFAULT_ADMIN_ROLE. This role has extensive control over the contract's functionality. Below are the key actions that the holder of this role can perform:
Pauses all token transfers for exactly one hour. This can only be done once every 24 hours.
Adds or removes addresses from the whitelist, allowing them to trade even when the contract is paused.
Enables trading of the token, setting the
tradingEnabledflag to true. This can only be done once, and trading can be delayed by a specified amount of time.
Risks
Absence of a Token Burn Mechanism: The project lacks a mechanism to burn tokens, facing challenges in managing supply dynamically, affecting the token's value stability and inflation control.
Potential Blacklist Mechanism: The DEFAULTADMINROLE can block a given address from trading for 1 hour every 24 hours.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-5634 | Missing Events For Critical Actions | accepted | Observation | |
| F-2024-5633 | Excessive Use of DEFAULTADMINROLE for Routine Operations in SquidGrow | accepted | Observation | |
| F-2024-5630 | Redundant Import | accepted | Observation | |
| F-2024-5629 | Assignment of Default Value to Variables Increases Gas Consumption | accepted | Observation | |
| F-2024-5628 | Floating Pragma | accepted | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/shibtoshi/SquidGrowV3-Token→ |
| Commit | 0f0f9f748515b896a1a1bbea04e7ff69e0a570a0 |
| Whitepaper | - |
| Requirements | - |
| Technical Requirements | - |
Scope Details
- Commit
- 0f0f9f748515b896a1a1bbea04e7ff69e0a570a0
- Whitepaper
- -
- Requirements
- -
- Technical Requirements
- -