Introduction
We express our gratitude to the World Mobile Token team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
We express our gratitude to the World Mobile Token team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The World Mobile Token is an ERC20 token that incorporates an 'Access Control' framework for centralized minting and burning control and caps its total supply at 2 billion units. This token is equipped with a burn function and adheres to the EIP 712 standard through OpenZeppelin's ERC20Permit. Its multi-chain bridging capabilities are facilitated by LayerZero's OFT Adapter, which is compatible with both EVM and non-EVM chains. A distinctive aspect of this token is its 6-decimal representation, a deviation from the standard 18 decimals in ERC20 tokens, chosen to accommodate its interoperability features.
Further enhancing its versatility, the token is designed to work with a variety of bridging solutions beyond LayerZero's OFT adapter. This is accomplished through the implementation of locking mechanisms as well as specialized roles for burning and minting, thus supporting a comprehensive burn-mint bridging strategy.
| title | content |
|---|---|
| Platform | EVM |
| Language | Solidity |
| Tags | ERC20, OFT |
| Timeline | 25/01/2024 - 26/02/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/→ |
| Commit | 95b3533 |
Review Scope
- Commit
- 95b3533
Audit Summary
10/10
100%
10/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for World Mobile Token |
| Audited By | Giovanni Franchi |
| Approved By | Turgay Arda Usman |
| Changelog | 26/01/2024 - Initial report |
| 27/02/2024 - Final report |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for World Mobile Token
- Audited By
- Giovanni Franchi
- Approved By
- Turgay Arda Usman
- Changelog
- 26/01/2024 - Initial report
- 27/02/2024 - Final report
System Overview
World Mobile is an ERC-20 token designed to fit different chains and it is composed by the following contracts:
World Mobile Token — ERC-20 token that implement EIP 712, is burnable and capped. It also implements roles for minting and burning functionalities.
It has the following attributes:
Name: WorldMobileToken
Symbol: WMTX
Decimals: 6
Total supply: 2b tokens.
OFT Adapter — a contract that enables multi-chain bridging of an already deployed ERC20 contract.
Privileged roles
The admin of the contract can arbitrarily mint new tokens until the max cap is reached.
The admin of the contract can arbitrarily assign burning and minting roles.
The admin of the contract can arbitrarily transfer or renounce to the contract admin roles.
Addresses with minting permission can can arbitrarily mint new tokens until the max cap is reached.
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
Functional requirements are provided.
Technical requirements are provided.
Code quality
The total Code Quality score is 10 out of 10.
The code adheres to best practises.
NatSpecs are provided.
Test coverage
Code coverage of the project is 100% (branch coverage).
Code coverage is not required under 250 locs.
Security score
Upon auditing, the code was found to contain 0 critical, 1 high, 0 medium, and 0 low severity issues, leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 10. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
This audit report focuses exclusively on the security assessment of the contracts within the specified review scope. Interactions with out-of-scope contracts are presumed to be correct and are not examined in this audit. We want to highlight that Interactions with contracts outside the specified scope, such as:
./contracts/WorldMobileToken.sol
./contracts/WorldMobileTokenOftAdapter.sol
have not been verified or assessed as part of this report.
While we have diligently identified and mitigated potential security risks within the defined scope, it is important to note that our assessment is confined to the isolated contracts within this scope. The overall security of the entire system, including external contracts and integrations beyond our audit scope, cannot be guaranteed.
Users and stakeholders are urged to exercise caution when assessing the security of the broader ecosystem and interactions with external contracts. For a comprehensive evaluation of the entire system, additional audits and assessments outside the scope of this report are necessary.
This report serves as a snapshot of the security status of the audited contracts within the specified scope at the time of the audit. We strongly recommend ongoing security evaluations and continuous monitoring to maintain and enhance the overall system's security.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-0603 | Misused decimal precision | fixed | High | |
| F-2024-1051 | Solidity version 0.8.20 might not be supported in all chains due to push0 opcode | fixed | Observation | |
| F-2024-0611 | Non-Compliance with Naming Conventions for Contract and File Names | fixed | Observation | |
| F-2024-0606 | Unused inheritance | fixed | Observation | |
| F-2024-0605 | Large numeric literals should use underscores for readability | fixed | Observation | |
| F-2024-0602 | Floating pragma | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/worldmobilegroup/ethereum-wmt-contract→ |
| Commit | 95b353351a9bca14712320f9639f4744880f3570 |
| Whitepaper | N/A |
| Requirements | N/A |
| Technical Requirements | N/A |
Scope Details
- Commit
- 95b353351a9bca14712320f9639f4744880f3570
- Whitepaper
- N/A
- Requirements
- N/A
- Technical Requirements
- N/A
Remediation Scope Details | |
|---|---|
| Repository | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/→ |
| Commit | 27483e118aac7f3ef294b1b046afb9d079474082 |
| Whitepaper | N/A |
| Requirements | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→ |
| Technical Requirements | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→ |
Remediation Scope Details
- Commit
- 27483e118aac7f3ef294b1b046afb9d079474082
- Whitepaper
- N/A
- Technical Requirements
- https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→
Second Remediation Scope Details | |
|---|---|
| Repository | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/→ |
| Commit | ba07bdccbea28df80433f9f3d37ebca7eaded6dc |
| Whitepaper | N/A |
| Requirements | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→ |
| Technical Requirements | https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→ |
Second Remediation Scope Details
- Commit
- ba07bdccbea28df80433f9f3d37ebca7eaded6dc
- Whitepaper
- N/A
- Technical Requirements
- https://github.com/worldmobilegroup/ethereum-wmt-contract/commits/main/README.md→