AppGithub
Search
K
Links

Halborn June 2022 - Voting Delegation Staking

Tokemak_Voting_Delegation_Staking_Smart_Contract_Security_Audit (2).pdf
5MB
PDF
Individual auditors personal emails have been redacted in the above pdf (pdf also embedded below summary)
Summary:
(HAL-01) DELEGATED TOKEN BALANCE CAN BE DOUBLED
  • Recommendation: It is recommended to clear the balance of unsupported tokens. The contract must not track the balance of the removed tokens.
  • Risk Level: Critical
  • Status: SOLVED - 19/07/2022
  • Additional Notes: The Tokemak team solved the issue by keeping track of whether a token has been removed and checking it when adding new tokens.
(HAL-02) WRONG EVENT SIGNATURE LEADS UNCHANGING OF BALANCE DURING SLASHING
  • Recommendation: It is suggested to change the event signature to Slash from Slashed for the Slashing event.
  • Risk Level: High
  • Status: SOLVED - 19/07/2022
  • Additional Notes: The Tokemak team solved the issue by replacing Slashed event with Slash.
(HAL-03) LACK OF ZERO ADDRESS CHECK
  • Recommendation: It is recommended to validate that each address input is non-zero.
  • Risk Level: Low
  • Status: SOLVED - 19/07/2022
  • Additional Notes: The Tokemak team solved the issue by adding sanity checks for zero addresses.
(HAL-04) PRAGMA VERSION
  • Recommendation: At the time of this audit, the current version is already at 0.8.14. When possible, use the most up-to-date and tested pragma versions to take advantage of new features that provide checks and accounting, as well as to avoid using unsafe code.
  • Risk Level: Low
  • Status: RISK ACCEPTED
  • Additional Notes: These will be upgrades to existing contracts. We have kept the pragma at its originally deployed version to ensure compatibility. Development of new contracts are at 0.8+
(HAL-05) EXPERIMENTAL KEYWORD USAGE
  • Recommendation: When possible, do not use experimental features in the final live deployment.
  • Risk Level: Informational
  • Status: ACKNOWLEDGED
  • Additional Notes: The Tokemak team acknowledges this finding.
(HAL-06) USE OF I++ INSTEAD OF ++I IN FOR LOOPS - GAS OPTIMIZATION
  • Recommendation: It is recommended to use ++i instead of i++ to increment the value of a uint variable within a loop. This also applies to variables declared inside the for loop, not just the iterator. On the other hand, this is not applicable outside of loops.
  • Risk Level: Informational
  • Status: SOLVED - 19/07/2022
  • Additional Notes: The Tokemak team solved the issue. The specified for loops above were optimized after replacing postfix increments with prefix increments.
(HAL-07) DEPRECATED VARIABLES SHOULD BE REMOVED
  • Recommendation: It is suggested to remove unused variables from code to increase readability and lower gas consumption.
  • Risk Level: Informational
  • Status: ACKNOWLEDGED
  • Additional Notes: This will be an upgrade to an existing contract. Variables have been kept to ensure compatibility.
(HAL-08) UNNECESSARY PARAMETER USAGE
  • Recommendation: It is recommended to set address(0) by default for to parameter on the DelegationDisabled data type.
  • Risk Level: Informational
  • Status: ACKNOWLEDGED
  • Additional Notes: The Tokemak team acknowledged this finding.
PDF Embed:
Previous
Halborn July 2022 - WebApp Pentest
Next
Halborn April 2022 - Reserve and Controllers
Last modified 9mo ago