Smart Contract Audit for Itheum

About Itheum

Business Segment: Decentralized Data Broker

Our client Itheum (Itheum) is the world’s 1st decentralized, cross-chain data brokerage platform. The goal of Itheum is to reboot the way data brokers deal with data points on users. Itheum believes that Web3 and Metaverse must not allow dangerous data hoarding practices. That’s why they decided to provide a decentralized solution for data brokerage. Their vision is to create a Data Metaverse. Data Metaverse consists of Data DEX, an integral part of Itheum’s mission.

Itheum requested Hacken’s services because they wanted to increase the functionality and complexity of their Data DEX. Their particular need was to add the support of a “claims portal”. This would allow users to log in via their Elrond wallets and self-claim tokens that have been given to them as part of data exchange based rewards. The core functionality was to enable the data dex contract owner to deposit Itheum token claims into the contract for addresses of users who can then self-claim.

Unfolding Itheum’s Smart Contract Audit

The full audit was completed in two reviews and took less than a month. 

System Overview

Hacken’s smart contract auditors have analyzed Itheum’s requirements and provided an overview of the system. The purpose of a system overview is to understand the context, describe roles, and identify risks.

Hacken auditors analyzed ClaimsContract located in Itheum’s repository. Claims Contract is a simple “upgradeable contract” that holds a mapping from addresses and a “claim type” to a “claim amount” and a “claim add date”. A “claim type” is an u32 taking values between 0 and 2. The “claim amount” is a BigUint, which represents the amount of Itheum they can take out. The “claim add date” is a timestamp on when the claim for the address and “claim type” was last modified in the smart contract.

Hacken auditors found the following privileged roles for the contract:

● The Owner of the smart contract – can manually put in a new “claim amount” for an address and a “claim type”.

● Itheum Token Owner – the owner of the Itheum token on Elrond.

● Itheum Token – a ESDT token on Elrond.

● DEX DApp – Itheum DEX to interact with this contract using its own wallet.

Found Issues

After an initial review and remediation check, our auditors found no critical vulnerabilities. Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. We also didn’t find any high-severity issues. These issues are difficult to exploit, but also have a significant impact on smart contract execution.

We found 1 medium (which was fixed in the re-audit) and 6 low-level vulnerabilities.

To put it in perspective, medium-level vulnerabilities, such as requirements non-compliance, cannot lead to asset loss or data manipulations. Low-level vulnerabilities are mostly related to outdated, unused, etc. code snippets that cannot have a significant impact on execution. In their case, low-level issues were: zero valued transactions, missing parameter zero value check, duplicate code, unnecessary reading from storage, misleading method name, and missing event emitting. Hacken’s remediation check confirmed that Itheum fixed them all. Therefore, Itheum has managed to achieve a high level of security even during development and they fixed all less severe vulnerabilities after the audit.

Hacken Final Assessment

Overall, Itheum has an exceptionally secure smart contract code for their Data DEX.

• The total Code Quality score is 10 out of 10.
• The architecture quality score is 10 out of 10.
• The security score is 10 out of 10.
• The total Documentation Quality score is 10 out of 10.

According to the assessment, the smart contract has the following score: 10.0! Congratulations to Itheum and best wishes on building a secure Data Metaverse.