New

Hacken is launching a monitoring tool. Get details and join our beta program

More

Smart Contract Audit for Itheum

Smart Contract Audit for Itheum
  • Case Studies
  • Smart contract audit

12 Oct 2022

  • Solution: Smart Contract Audit
  • Audit Score: 10/10
  • Platform: Elrond
  • Language: Rust
  • Timeline: 18 July 2022 – 8 Aug 2022

About Itheum

Business Segment: Decentralized Data Broker

Cross-chain protocol + Data DEX + Data Metaverse

Our client Itheum (Itheum) is the world’s 1st decentralized, cross-chain data brokerage platform. The goal of Itheum is to reboot the way data brokers deal with data points on users. Itheum believes that Web3 and Metaverse must not allow dangerous data hoarding practices. That’s why they decided to provide a decentralized solution for data brokerage. Their vision is to create a Data Metaverse. Data Metaverse consists of Data DEX, an integral part of Itheum’s mission.

Itheum requested Hacken’s services because they wanted to increase the functionality and complexity of their Data DEX. Their particular need was to add the support of a “claims portal”. This would allow users to log in via their Elrond wallets and self-claim tokens that have been given to them as part of data exchange based rewards. The core functionality was to enable the data dex contract owner to deposit Itheum token claims into the contract for addresses of users who can then self-claim.

Unfolding Itheum’s Smart Contract Audit

The full audit was completed in two reviews and took less than a month. 

System Overview

Hacken’s smart contract auditors have analyzed Itheum’s requirements and provided an overview of the system. The purpose of a system overview is to understand the context, describe roles, and identify risks.

Hacken auditors analyzed ClaimsContract located in Itheum’s repository. Claims Contract is a simple “upgradeable contract” that holds a mapping from addresses and a “claim type” to a “claim amount” and a “claim add date”. A “claim type” is an u32 taking values between 0 and 2. The “claim amount” is a BigUint, which represents the amount of Itheum they can take out. The “claim add date” is a timestamp on when the claim for the address and “claim type” was last modified in the smart contract.

Hacken auditors found the following privileged roles for the contract:

The Owner of the smart contract – can manually put in a new “claim amount” for an address and a “claim type”.

Itheum Token Owner – the owner of the Itheum token on Elrond.

Itheum Token – a ESDT token on Elrond.

DEX DApp – Itheum DEX to interact with this contract using its own wallet.

Found Issues

After an initial review and remediation check, our auditors found no critical vulnerabilities. Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. We also didn’t find any high-severity issues. These issues are difficult to exploit, but also have a significant impact on smart contract execution.

We found 1 medium (which was fixed in the re-audit) and 6 low-level vulnerabilities.

Medium
1. Requirements incompliance.
The documentation states that the contract should implement the
following feature: ‘Owner of Claims Contract and Owners of Token
should be different’. This feature is not implemented.
File: ./src/lib.rs
Contract: ClaimsContract
Function: set_reward_token
Recommendation: Either implement the missing logic or remove the
corresponding statement from the documentation.
Status: Fixed (Revised commit: 086b7e4c7329db725358a0b8c45ee73d7dcb5f8a)

To put it in perspective, medium-level vulnerabilities, such as requirements non-compliance, cannot lead to asset loss or data manipulations. Low-level vulnerabilities are mostly related to outdated, unused, etc. code snippets that cannot have a significant impact on execution. In their case, low-level issues were: zero valued transactions, missing parameter zero value check, duplicate code, unnecessary reading from storage, misleading method name, and missing event emitting. Hacken’s remediation check confirmed that Itheum fixed them all. Therefore, Itheum has managed to achieve a high level of security even during development and they fixed all less severe vulnerabilities after the audit.

Hacken Final Assessment

Overall, Itheum has an exceptionally secure smart contract code for their Data DEX.

  • The total Code Quality score is 10 out of 10.
  • The architecture quality score is 10 out of 10.
  • The security score is 10 out of 10.
  • The total Documentation Quality score is 10 out of 10.

According to the assessment, the smart contract has the following score: 10.0! Congratulations to Itheum and best wishes on building a secure Data Metaverse.

Want to improve your security?

share via social

Subscribe to our research

Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email


    Interested in getting to know whether your systems are vulnerable to cyberattacks?

    Reach our team

    Tell us about your project

    • This field is required
    • This field is required
      • whatsapp icon WhatsApp
      • telegram icon Telegram
      • wechat icon WeChat
      • signal icon Signal
    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Apply for partnership

    • This field is required
    • This field is required
    • This field is required
    • This field is required
      • Foundation
      • VC
      • Angel investments
      • IDO or IEO platform
      • Protocol
      • Blockchain
      • Legal
      • Insurance
      • Development
      • Marketing
      • Influencer
      • Other
    This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    1,070+ projects audited

    companies logos

    Get in touch

    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    By submitting this form you agree to the Privacy Policy and information beeing used to contact you
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo