2024 Web3 Security ReportAccess control exploits account for nearly 80% of crypto hacks in 2024.
Discover report insights
  • Hacken
  • Audits
  • vedelegate-vet
  • [SCA] veDelegate.vet / Contracts / Feb2025
veDelegate.vet logo

veDelegate.vet

Audit name:

[SCA] veDelegate.vet / Contracts / Feb2025

Date:

Mar 6, 2025

Table of Content

Introduction
Audit Summary
System Overview
Potential Risks
Findings
Appendix 1. Definitions
Appendix 2. Scope
Appendix 3. Additional Valuables
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the veDelegate.vet team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

veDelegate is a delegation service for the vechain B3TR ecosystem, it allows users to stake their tokens to enhance their voting rewards while eliminating the need to engage in weekly manual voting.

Document

NameSmart Contract Code Review and Security Analysis Report for veDelegate.vet
Audited ByStepan Chekhovskoi
Approved ByIvan Bondar
Websitehttps://vedelegate.vet
Changelog26/02/2025 - Initial Report
06/03/2025 - Final Report
PlatformVeChain
LanguageSolidity
TagsERC-20, Staking, ERC-721, ERC-6551
Methodologyhttps://hackenio.cc/sc_methodology

  • Document

    Name
    Smart Contract Code Review and Security Analysis Report for veDelegate.vet
    Audited By
    Stepan Chekhovskoi
    Approved By
    Ivan Bondar
    Website
    https://vedelegate.vet
    Changelog
    26/02/2025 - Initial Report
    06/03/2025 - Final Report
    Platform
    VeChain
    Language
    Solidity
    Tags
    ERC-20, Staking, ERC-721, ERC-6551
    Methodology
    https://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://gitlab.com/vechain.energy/services/vedelegate/contracts-tba
Initial Commit1136e2b42fdf8da42bb6eb7e6b4c881be144228f
Final Commit7731a593eb322a097dade6dfc2d9223a5e7ab2f9

Audit Summary

6Total Findings
6Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional overview is provided.

  • Technical description is provided.

Code quality

  • The code architecture is complex and involves several smart contracts integrating each other.

Test coverage

Code coverage of the project is 66% (branch coverage).

  • Most of the functionality is tested for positive and negative scenarios.

System Overview

The audit covers the following veDelegate project parts:

  • AddressBook - contract manages list of registered addresses used by other system parts.

  • VeB3TR - ERC20 B3TR token wrapper managing user voting preferences.

  • VeDelegatePool - ERC721 token where each NFT is a separate staking pool.

  • ERC6551AccountERC721 - ERC6551 compatible pool contract managing funds of each separate pool.

Privileged roles

  • The ERC6551AccountERC721 contract owner is able to execute arbitrary transactions on behalf of the contract.

  • The VeDelegatePool and VeB3TR contract managers are able to pause the contract functionalities.

  • The AddressBook contract managers are allowed to reconfigure the system updating the address records.

  • The system owner is able to upgrade the contracts.

Potential Risks

Scope Definition and Security Guarantees: The audit does not cover all code in the repository. Contracts outside the audit scope may introduce vulnerabilities, potentially impacting the overall security due to the interconnected nature of smart contracts.

System Reliance on External Contracts: The functioning of the system significantly relies on VOT3 and B3TR token contracts. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.

Single Points of Failure and Control: The project is fully centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.

Flexibility and Risk in Contract Upgrades: The project's contracts are upgradable, allowing the administrator to update the contract logic at any time. While this provides flexibility in addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security.

Returndata Bomb DoS Possibility: The ERC6551AccountERC721 contract uses direct call instruction which stores the return value as bytes memory. The called contract may return unexpectedly large amount of data causing the corresponding memory space allocation drain the attached Gas. While the mentioned possibility does not cause a security vulnerability, further complication of the ERC6551AccountERC721 usecases should take in attention that third-party contracts may block the execute function invocation in the described way.

Findings

Code
Title
Status
Severity
F-2025-9000EIP-6551 Violation | Unexpected Valid Signer
fixed

High
F-2025-8992Confusing Variable ERC721 Account Owner
fixed

Low
F-2025-8991Lack of Supported Interfaces Definition
fixed

Low
F-2025-8999Lack of ERC20 Operation Success Validation
fixed

Low
F-2025-8985Revert Messages Optimization
fixed

Observation
F-2025-8988Floating Pragma
fixed

Observation
1-6 of 6 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Definitions

Severities

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

  • Severity

    Critical

    Description

    Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    Severity

    High

    Description

    High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Severity

    Medium

    Description

    Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Severity

    Low

    Description

    Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.

Potential Risks

The "Potential Risks" section identifies issues that are not direct security vulnerabilities but could still affect the project’s performance, reliability, or user trust. These risks arise from design choices, architectural decisions, or operational practices that, while not immediately exploitable, may lead to problems under certain conditions. Additionally, potential risks can impact the quality of the audit itself, as they may involve external factors or components beyond the scope of the audit, leading to incomplete assessments or oversight of key areas. This section aims to provide a broader perspective on factors that could affect the project's long-term security, functionality, and the comprehensiveness of the audit findings.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details

Repositoryhttps://gitlab.com/vechain.energy/services/vedelegate/contracts-tba
Initial Commit1136e2b42fdf8da42bb6eb7e6b4c881be144228f
Final Commit7731a593eb322a097dade6dfc2d9223a5e7ab2f9
WhitepaperN/A
Requirementshttps://docs.vedelegate.vet
Technical RequirementsREADME.md

Assets in Scope

AddressBook - AddressBook
ERC6551AccountERC721 - ERC6551AccountERC721
Registry - Registry
TokenCallbackHandler - TokenCallbackHandler
VeB3TR - VeB3TR
VeB3TRMintLogic - VeB3TRMintLogic
VeDelegateLogic - VeDelegateLogic
VeDelegatePool - VeDelegatePool
VoteTrackingLogic - VoteTrackingLogic

Appendix 3. Additional Valuables

Additional Recommendations

The smart contracts in the scope of this audit could benefit from the introduction of automatic emergency actions for critical activities, such as unauthorized operations like ownership changes or proxy upgrades, as well as unexpected fund manipulations, including large withdrawals or minting events. Adding such mechanisms would enable the protocol to react automatically to unusual activity, ensuring that the contract remains secure and functions as intended.

To improve functionality, these emergency actions could be designed to trigger under specific conditions, such as:

  • Detecting changes to ownership or critical permissions.

  • Monitoring large or unexpected transactions and minting events.

  • Pausing operations when irregularities are identified.

These enhancements would provide an added layer of security, making the contract more robust and better equipped to handle unexpected situations while maintaining smooth operations.

Disclaimer