CoinGecko Penetration Testing
CoinGecko x Hackenâs strategic partnership has changed Web3 for the better. Read about it, and how we conducted penetration testing.
đșđŠ Hacken stands with Ukraine!
Learn moreBusiness Segment: Decentralized Data Broker
Our client Itheum (Itheum) is the worldâs 1st decentralized, cross-chain data brokerage platform. The goal of Itheum is to reboot the way data brokers deal with data points on users. Itheum believes that Web3 and Metaverse must not allow dangerous data hoarding practices. Thatâs why they decided to provide a decentralized solution for data brokerage. Their vision is to create a Data Metaverse. Data Metaverse consists of Data DEX, an integral part of Itheumâs mission.
Itheum requested Hackenâs services because they wanted to increase the functionality and complexity of their Data DEX. Their particular need was to add the support of a âclaims portalâ. This would allow users to log in via their Elrond wallets and self-claim tokens that have been given to them as part of data exchange based rewards. The core functionality was to enable the data dex contract owner to deposit Itheum token claims into the contract for addresses of users who can then self-claim.
The full audit was completed in two reviews and took less than a month.
Hackenâs smart contract auditors have analyzed Itheumâs requirements and provided an overview of the system. The purpose of a system overview is to understand the context, describe roles, and identify risks.
Hacken auditors analyzed ClaimsContract located in Itheumâs repository. Claims Contract is a simple âupgradeable contractâ that holds a mapping from addresses and a âclaim typeâ to a âclaim amountâ and a âclaim add dateâ. A âclaim typeâ is an u32 taking values between 0 and 2. The âclaim amountâ is a BigUint, which represents the amount of Itheum they can take out. The âclaim add dateâ is a timestamp on when the claim for the address and âclaim typeâ was last modified in the smart contract.
Hacken auditors found the following privileged roles for the contract:
â The Owner of the smart contract â can manually put in a new âclaim amountâ for an address and a âclaim typeâ.
â Itheum Token Owner â the owner of the Itheum token on Elrond.
â Itheum Token â a ESDT token on Elrond.
â DEX DApp â Itheum DEX to interact with this contract using its own wallet.
After an initial review and remediation check, our auditors found no critical vulnerabilities. Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. We also didnât find any high-severity issues. These issues are difficult to exploit, but also have a significant impact on smart contract execution.
We found 1 medium (which was fixed in the re-audit) and 6 low-level vulnerabilities.
To put it in perspective, medium-level vulnerabilities, such as requirements non-compliance, cannot lead to asset loss or data manipulations. Low-level vulnerabilities are mostly related to outdated, unused, etc. code snippets that cannot have a significant impact on execution. In their case, low-level issues were: zero valued transactions, missing parameter zero value check, duplicate code, unnecessary reading from storage, misleading method name, and missing event emitting. Hackenâs remediation check confirmed that Itheum fixed them all. Therefore, Itheum has managed to achieve a high level of security even during development and they fixed all less severe vulnerabilities after the audit.
Overall, Itheum has an exceptionally secure smart contract code for their Data DEX.
According to the assessment, the smart contract has the following score: 10.0! Congratulations to Itheum and best wishes on building a secure Data Metaverse.