Q1 2025 Web3 Security ReportAccess control failures led to $1.63 billion in losses
Discover report insights
  • Hacken
  • Audits
  • usdm
  • [SCA] USDM / Token / Dec2023
USDM logo

USDM

Audit name:

[SCA] USDM / Token / Dec2023

Date:

Dec 26, 2023

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We thank USDM for allowing us to conduct a Smart Contract Security Assessment. This document outlines our methodology, limitations, and results of the security assessment.

USDM a stablecoin built on the Ethereum blockchain.

titlecontent
PlatformEthereum
LanguageSolidity
TagsERC20, Beacon Proxy
Timeline07.12.2023 – 18.12.2023
Methodologyhttps://hackenio.cc/sc_methodology

    Audit Summary

    Total9.5/10
    Security Score

    10/10

    Test Coverage

    0%

    Code Quality Score

    9/10

    Documentation Quality Score

    7/10

    4Total Findings
    0Resolved
    4Accepted
    0Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for USDM
    Audited ByEren Gonen
    Approved ByGrzegorz Trawiński
    Changelog18/12/2023 - Second Report

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for USDM
      Audited By
      Eren Gonen
      Approved By
      Grzegorz Trawiński
      Changelog
      18/12/2023 - Second Report

    System Overview

    USDM is a ERC20 stablecoin with the following contracts:

    EthereumERC20  — A burnable, upgradeable ERC-20 token that mints the initial supply to the deployer, featuring a blacklist capability. Additional minting is permitted.

    It has the following attributes:

    • Name: USD Mapped Token

    • Symbol: USDM

    • Decimals: 6

    • Total supply: 6,500,000,000(Six billion five hundred million).

    OwnedBeaconProxy — An upgradable beacon proxy contract for the EthereumERC20 token.

    Privileged roles

    • The owner of the EthereumERC20 contract can mint new tokens and add or remove addresses from the blacklist.

    • The admin of the OwnedBeaconProxy contract can update the contract or set a new admin address.

    Executive Summary

    Documentation quality

    The total Documentation Quality score is 7 out of 10.

    • Functional requirements are partially provided.

      • Natspec is not sufficient.

    • Technical description is provided.

    Code quality

    The total Code Quality score is 9 out of 10.

    • The development environment is not configured.

    Test coverage

    Code coverage of the project is 0% (branch coverage)

    • No tests have been provided.

    Security score

    Upon auditing, the code was found to contain 0 critical, 0 high, 0 medium, and 2 low severity issues, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the Customer's smart contract yields an overall score of 9.5. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Risks

    The admin of the EthereumERC20 contract can blacklist any address at any time. The blacklisted address can not transfer until further changes are made.

    Findings

    Code
    Title
    Status
    Severity
    F-2023-0116Single-Step Ownership Transfer
    accepted

    Low
    F-2023-0110Non Disabled Implementation Contract
    accepted

    Low
    F-2023-0112Using Old Openzeppelin Version
    accepted

    Observation
    F-2023-0111Using Old Solidity Version
    accepted

    Observation
    1-4 of 4 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers the potential impact of any vulnerabilities and the likelihood of them being exploited. The matrix of impact and likelihood is a commonly used tool in risk management to help assess and prioritize risks.

    The impact of a vulnerability refers to the potential harm that could result if it were to be exploited. For smart contracts, this could include the loss of funds or assets, unauthorized access or control, or reputational damage.

    The likelihood of a vulnerability being exploited is determined by considering the likelihood of an attack occurring, the level of skill or resources required to exploit the vulnerability, and the presence of any mitigating controls that could reduce the likelihood of exploitation.

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://etherscan.io/token/0xbbaec992fc2d637151daf40451f160bf85f3c8c1
    Commit-
    WhitepaperNot Provided
    RequirementsConfidential
    Technical RequirementsConfidential

    Contracts in Scope

    contracts
    OwnedBeaconProxy.sol - contracts/OwnedBeaconProxy.sol
    EthereumERC20.sol - contracts/EthereumERC20.sol

    Disclaimer