HACKEN SMART CONTRACT CODE REVIEW AND SECURITY ANALYSIS REPORT FOR $BYOB (SECOND AUDIT — STAKING)
Name: Smart Contract Code Review and Security Analysis Report for DataMynt
Approved by: Andrew Matiukhin | CTO Hacken OU
Type: Staking
Platform: Ethereum / Solidity
Methods: Architecture Review, Functional Testing, Computer-Aided Verification, Manual Review
Repository: https://github.com/DataMynt1/staking-rewards-sc
Commit: f1d24fede76ac2a7d79367581ad41ab7443b85bc
Technical Documentation: Yes
JS tests: Yes
Website: Datamynt.com
Timeline: 19 OCTOBER 2021–02 NOVEMBER 2021
Changelog: 22 OCTOBER 2021 — INITIAL AUDIT;
02 NOVEMBER 2021 — SECOND REVIEW
Introduction
Hacken OÜ (Consultant) was contracted by DataMynt (Customer) to conduct a Smart Contract Code Review and Security Analysis. This report presents the findings of the security assessment of the Customer’s smart contract and its code review conducted between October 19th, 2021 — October 22nd, 2021. The second code review was conducted on November 2nd, 2021.
Scope
The scope of the project is smart contracts in the repository:
Repository: https://github.com/DataMynt1/staking-rewards-sc
Commit: f1d24fede76ac2a7d79367581ad41ab7443b85bc
Technical Documentation: Yes (https://github.com/DataMynt1/staking-rewardssc/blob/main/docs/architecture.md)
JS tests: Yes (https://github.com/DataMynt1/staking-rewardssc/tree/main/test/staking)
Contracts: StakingRewards.sol
We have scanned this smart contract for commonly known and more specific vulnerabilities. Here are some of the commonly known vulnerabilities that are considered:
Category
Code review
Check Item
▪ Reentrancy
▪ Ownership Takeover
▪ Timestamp Dependence
▪ Gas Limit and Loops
▪ DoS with (Unexpected) Throw
▪ DoS with Block Gas Limit
▪ Transaction-Ordering Dependence
▪ Style guide violation
▪ Costly Loop
▪ ERC20 API violation
▪ Unchecked external call
▪ Unchecked math
▪ Unsafe type inference
▪ Implicit visibility level
▪ Deployment Consistency
▪ Repository Consistency
▪ Data Consistency
Category
Functional review
Check Item
▪ Business Logics Review
▪ Functionality Checks
▪ Access Control & Authorization
▪ Escrow manipulation
▪ Token Supply manipulation
▪ Assets integrity
▪ User Balances manipulation
▪ Data Consistency manipulation
▪ Kill-Switch Mechanism
▪ Operation Trails & Event Generation
Executive Summary
According to the assessment, the Customer’s smart contracts are well-secured.
Our team performed an analysis of code functionality, manual audit, and automated checks with Mythril and Slither. All issues found during automated analysis were manually reviewed, and important vulnerabilities are presented in the Audit overview section. All found issues can be found in the Audit overview section.
As a result of the audit, security engineers found 1 low severity issue.
After the second review security engineers found no issues.
Severity Definitions
Risk Level and Descriptions
▪ Critical: Critical vulnerabilities are usually straightforward to exploit and can lead to assets loss or data manipulations.
▪ High: High-level vulnerabilities are difficult to exploit; however, they also have a significant impact on smart contract execution, e.g., public access to crucial functions
▪ Medium: Medium-level vulnerabilities are important to fix; however, they can’t lead to assets loss or data manipulations.
▪ Low: Low-level vulnerabilities are mostly related to outdated, unused, etc. code snippets that can’t have a significant impact on execution.
Audit overview
Critical
No Critical issues were found.
High
No high severity issues were found.
Medium
No medium severity issues were found.
Low
No event on “periodFinish” update
“periodFinish” is a critical value for the contract and updating it should definitely emit an event to allow to track this off-chain
Contracts: StakingRewards.sol
Function: updatePeriodFinish
Recommendation: Please emit an event on “periodFinish” update.
Status: Fixed
Conclusion
Smart contracts within the scope were manually reviewed and analyzed with static analysis tools.
The audit report contains all found security vulnerabilities and other issues in the reviewed code.
As a result of the audit, security engineers found 1 low severity issue.
After the second review security engineers found no issues.
Disclaimers
Hacken Disclaimer
The smart contracts given for audit have been analyzed in accordance with the best industry practices at the date of this report, in relation to cybersecurity vulnerabilities and issues in smart contract source code, the details of which are disclosed in this report (Source Code); the Source Code compilation, deployment, and functionality (performing the intended functions).
The audit makes no statements or warranties on the security of the code. It also cannot be considered as a sufficient assessment regarding the utility and safety of the code, bug-free status or any other statements of the contract. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only — we recommend proceeding with several independent audits and a public bug bounty program to ensure the security of smart contracts.
Technical Disclaimer
Smart contracts are deployed and executed on the blockchain platform. The platform, its programming language, and other software related to the smart contract can have vulnerabilities that can lead to hacks. Thus, the audit can’t guarantee the explicit security of the audited smart contracts.