Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Hacken x SingularityDAO: Securing Decentralization from Day 1

Hacken x SingularityDAO: Securing Decentralization from Day 1

Share via:

About SingularityDAO

Our client SingularityDAO (SDAO) is a decentralized Portfolio Management Protocol with a mission of redefining crypto asset management. The protocol has a vision of an ecosystem where anybody can safely and easily manage crypto assets. Their motto is “Smart money, on-chain,” and they seek to provide superior risk management and analytics tools.

The core offering of SingularityDAO are these five products:

DynaSets
Vaults
DEX
Launchpad
DAO

Decentralization from Day 1

For our client SingularityDAO, decentralization is the top priority. They aim to create a decentralized experience, and most of their functions support the goal. They are not afraid to experiment with contracts’ functionality to devise the best way to achieve reliable and scalable decentralization. Hence, the need to ensure the utmost security of their implementations.

Our 2-Year Journey

We’ve been providing Web3 cybersecurity services to SingularityDAO for almost two years now. The first deal was back in early 2021. Over the course of 2 years, Hacken provided a range of penetration testing services and smart contract audits:

Web Application Security Assessment (May 2021)
Complex Cybersecurity Assessment (Sep 2021)
Smart Contract Audit for DynaSet (Dec 2021)
Smart Contract Audit for AirDrop (Jan 2022)
Smart Contract Audit for Converter Token Manager (Mar 2022)
Smart Contract Audit for Upgradable Tokens (Mar 2022)
Smart Contract Audit for LP Tokens System (Sep 2022)

We started really small and expanded the range of services. At first, SingularityDAO requested cybersecurity assessments. Eventually, they started entrusting us with more complex and crucial contracts, such as contracts for the LP tokens system and airdrop. We moved to core contracts by delivering high-quality audits and earning SingularityDAO’s trust.

“Hacken provided in-depth security audits for SingularityDAO and our users. They never compromise on high-security standards and they provide highly professional service with great attention to detail. They always provide timely responses, even during stressful times.”
Antonie Roche, PM at SingularityDAO

Earning the trust of someone like SingularityDAO is not a small feat since they are keeping their standards unapologetically high.

How SingularityDAO chose Hacken?

SingularityDAO requested Hacken’s services because they wanted to ensure the reliability and security of the core functionality that enables decentralization.

SDAO is a major project with more than $18 million in market cap. Its large community has strict speed expectations. At Hacken, we pay attention to the environment in which our clients operate. For that reason, we offered a priority queue, which has been quite beneficial to our client. Sridhar Kolapalli, SingularityDAO’s CTO with 19+ years of professional experience, revealed that the priority queue was definitely a huge plus when SingularityDAO selected Hacken among multiple players they have shortlisted.

Unfolding SingularityDAO’s Smart Contract Audits

We have reviewed a large number of SingularityDAO’s smart contracts. In all cases, we assessed them as well-secured because SingularityDAO fixed all found bugs. Let’s review some of the most interesting weaknesses we have detected.

Found Issues

Critical Issues

Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. Their track record has been near perfect. The only time we came across critical issues was during the audit of the most complex contracts in DynasetForge for the LP tokens system. That audit alone included 24 contracts. We found a Denial of Service Vulnerability in getPrice(). The flawed logic hindered the normal functioning of price oracles. In particular, the value condition always returned false, and the contract could update prices from fallback oracles. We left our recommendations, and the client quickly fixed the issues in the next commit.

High-Severity Issues

These issues are difficult to exploit but significantly impact smart contract execution. High-severity issues have been extremely rare in SingularityDAO audits. The most notable case was unsecure oracle usage in UsdcOracle. It was impossible to pause oracles, which could lead to an attack if the oracle got compromised. After our recommendation, the client added the ability to pause oracles and fixed the issue.

Medium-Severity Issues

Throughout the years, we found only four medium vulnerabilities. In perspective, medium-level vulnerabilities cannot lead to asset loss or data manipulations but are important to fix. The ForgeV1 contract had state variables changed after the external calls, which could lead to re-entrants and race conditions. We recommended implementing the code according to the Checks-Effects-Interaction pattern or using a non-reentrant modifier. The client fixed the issue.

Low-Severity Issues

Low-level vulnerabilities are mostly related to outdated, unused code snippets that cannot significantly impact execution. In their case, low-level issues were: boolean equality, misleading variable names, redundant functionality, and imports, never used libraries, outdated and floating pragma, etc. Hacken’s remediation check confirmed that SingularityDAO fixed or mitigated them.

Continuous Cooperation, Continuous Improvement

Both companies have a clear understanding that nothing is for granted. So how do we improve ourselves?

At Hacken, we are avid supporters of continuous improvement. Therefore, we actively gather feedback from our clients. In this case, the team of SingularityDAO was kind enough to suggest several enhancement points to improve our services. Firstly, there might have been some “unnecessary back and forth at the remediation stage.” While the initial audit was timely, remediation may have taken longer than expected. We actively review our processes to make remediations more to the point without losing quality. Secondly, all communication was centralized, which may have affected the ease of interaction between teams. When the scope of cybersecurity services is so complex, it’s more sensible to use dedicated communication channels for each problem.

Furthermore, Hacken should collaborate closely with clients to stay on the same page regarding significant changes to audit methodology.

On their side, the SingularityDAO team is working on enhancing the process of setting audit requirements. Their CTO Sridhar Kolapalli told us they put much effort into creating standardized audit requirements. In particular, SingularityDAO adopted a practice of preparing detailed functional audit requirements, including complete information about the contract, link, commit, list of contracts, tests, and extensive technical description of the contract.

SingularityDAO is also very attentive to Hacken’s auditors’ feedback. We worked with many contracts and dependencies on a one-by-one basis. At some point, we realized that applying a whole-system approach is better. Therefore, we suggested checking the whole repository to account for the dependencies. SingularityDAO understood why it was essential and agreed to our suggestion. Another suggestion from us related to an environment for smart contract development. The client has traditionally relied on Truffle Suite but also considered the benefits of the Hardhat tooling.

Going for the Win-Win

Being on the same page with the client regarding requirements, community expectations, delivery times, communication, and developing frameworks is paramount for fruitful cooperation. In less than two years, Hacken and SingularityDAO have achieved a lot. At Hacken, we expanded and established ourselves as a leading auditor and strengthened the state of Web3 cybersecurity. On their side, SingularityDAO stayed true to their original promise and accomplished the decentralization of two of their DynaSets. We are improving our processes and standards together. And we are delighted to know that there is much more to come.