Audit for HeadStarter: +1 Network Audited by Hacken – Hedera

In May 2022, Hacken performed a smart contract audit of HeadStarter. HeadStarter is the project accelerator and launchpad of the Hedera Hashgraph ecosystem. Its mission is to connect the best early-stage Hedera Hashgraph projects with community & decentralized funding. Hacken performs smart contract audits for Hedera Hashgraph. In fact, HeadStarter marked Hacken’s first audit for Hedera.

Unfolding HeadStarter Smart Contract Audit

Solution: Smart Contract Audit
Audit Result: 10/10 score, excellent
Platform: Hedera
Language: Solidity
Timeline: 13 May 2022 – 23 May 2022
Report: https://wp.hacken.io/audits/#headstarter

Hacken auditors reviewed and analyzed HeadStarter’s smart contracts for the functionality of staking and vesting. It took 20 days to complete the procedure in two stages: (1) the initial review and (2) the remediation check.

System Overview

Contracts in scope

HeadStarter – is a pool/vesting system with the following contracts and a brief description of their purpose:

• BasicPool.sol – basic pool contact to join the pool and claim tokens.
• AllowlistPool.sol – add facilities to allowlist users to participate in the pool.
• MerklePool.sol – safelist users based on the “Merkle” algorithm.
• MultiPartyWithdrawPool.sol – multiple parties withdraw the raised funds
• VestingPool.sol – claim user’s tokens proportionally according to an interval
• IDOPool.sol – a combination of BasicPool.sol and AllowlistPool.sol.
• IDOPoolWithVesting.sol – a combination of IDOPool.so and VestingPool.sol.

Privileged roles

Based on these functions, the owner has the following privileged roles:

• transfer ERC20 tokens to the pool.
• withdraw the raised funds.
• set pool schedule: start date, end date, redeem date.
• set IDO details: max tokens per user, price per token.
• add/remove users from the allowlist.
• initiate withdrawal raised funds for all parties.
• set vesting schedule.

All these contracts are designed specifically for Hedera.

Found Issues

Critical

First things first, we found no critical issues. Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. We also didn’t find any high-severity issues.

High

We found three high-severity issues, all of which our client fixed. High-severity issues are difficult to exploit but significantly impact smart contract execution.

• Potential DoS (Status: FIXED). The function withdraw in MultiPartyWithdrawPool.sol iterates over all shareholders and withdraws tokens. However, there is a problem. Gas consumption can differ a lot between different transactions. Possible DoS if the number of shareholders is large enough. Moreover, the holder’s address can be a contract, which consumes lots of Gas when sending tokens to it. Our recommendation was to use the Pull over Push pattern or limit the amount of data processed in one translation.

• Highly permissive owner access (Status: FIXED). The exploit in the functions setVestingSchedule and setPoolSchedule in VestingPool.sol and BasicPool.sol may delay promised release. In particular, the owner can change the release percentages and release interval durations at any time. Moreover, the owner can change the start, end, and redeem dates. Our recommendation was not to allow the rescheduling of those parameters.

• Unchecked call return value (Status: FIXED). The exploit in the function _associateTokenin in BasicPool.sol had a high-severity weakness. In particular, the call’s return value to the precompiled HTS(Hedera Token Service) contract is not checked. If a user joins the pool only once and the call to the HTS contract fails, the user will not be associated with the token and will not be able to receive the tokens. Our recommendation was to check two conditions and accept both as a success. In other cases, return false and revert the transaction.

Medium

There was one medium issue in VestingPool.sol contract. In perspective, medium-level vulnerabilities, such as requirements non-compliance, cannot lead to asset loss or data manipulations. In this case, there was a typo in the error message “Invalid inter[n]al.” The client fixed it.

Low

Low-level vulnerabilities cannot have a significant impact on execution. We found seven issues: Typo in documentation, floating pragma, outdated compiler version, style guide violation, requirements incompliance, and the confusing function name.

Smart Contract Audit for Hedera

HeadStarter’s audit deserves special attention. After all, It’s our first audit of a project operating on the Hedera platform. Hedera is an enterprise-grade public network. It uses the native energy-efficient cryptocurrency HBAR. Speed, fairness, and security are the critical characteristics of Hedera. Developers can connect to Hedera in the languages they know best such as Solidity, Java, and Go. 

Key characteristics of Hedera network:

• 10,000+ transactions per second (BTC  3+ TPS), (ETH 12+ TPS )
• $0.0001 average fee (BTC $22.57), (ETH $19.55)
• 3-5 seconds transaction confirmation (BTC 10-60 min), (ETH 10-20 sec)
• 0.00017 kWh energy use per transaction (BTC 885+ kWh), (ETH 102+ kWh)

Hedera is the proof-of-stake network and relies on the hashgraph consensus. In short, hashgraph agreement is similar to a “gossip protocol.” Once a node in the chain receives new data, it randomly selects another node on the network and shares this unique piece of information. The next informed node also sets the next node randomly. The process repeats until all nodes on the network have the new data. As a result, Hashgraph is faster, cheaper, and scalable. A typical validation time is a mere 3-5 sec. The processing capacity on the Hashgraph network is over 10,000 transactions per second, which is virtually unattainable for mainstream blockchains.

Our client Headstarter chose Hacken for auditing their staking and vesting contracts. Request a quote now if you want to get a professional code review and analysis of your Hedera-based project by a trusted auditor.