CoinFabrik was requested to audit the contracts for the Mokens League venture. First, we are going to present a abstract of our discoveries after which we are going to present the small print of our findings.
Scope
The contracts audited are from the https://github.com/Mokens-League/mokens-league-tokens/ git repository. The audit is predicated on the commit b2e3a17f7f8c8d220fc135fc9a8364fdf07d51c.
The audited contracts are:
- /contracts/Token.sol:MainERC777Token
- /contracts/Forwarder.sol: ERC2771 minimal forwarder
- /contracts/Coverage.sol: Operator performance
- /contracts/TokenMintable.sol: Provides entry management to Token contract
- /contracts/Mock/MockOperator.sol: Testing code
- /contracts/IPolicy.sol: Coverage interface
The scope of the audit is proscribed to these information. No different information on this repository had been audited. Its dependencies are assumed to work based on their documentation. Additionally, no checks had been reviewed for this audit.
Fixes and enhancements had been checked in commit a70bda94e5918e1fff53d656c056d2db0b882401.
Analyses
With out being restricted to them, the audit course of included the next analyses:
- Arithmetic errors
- Outdated model of Solidity compiler
- Race circumstances
- Reentrancy assaults
- Misuse of block timestamps
- Denial of service assaults
- Extreme fuel utilization
- Lacking or misused operate qualifiers
- Needlessly advanced code and contract interactions
- Poor or nonexistent error dealing with
- Inadequate validation of the enter parameters
- Incorrect dealing with of cryptographic signatures
- Centralization and upgradeability
We discovered 1 medium concern. We checked fixes in commit a70bda94e5918e1fff53d656c056d2db0b882401. All points had been resolved.
Safety Points
These are the privileged roles that we recognized on every of the audited contracts.
TokenMintable
MINTER_ROLE
This function is the one tackle allowed to mint tokens.
Token
Proprietor
The proprietor can change the tackle designed because the operator. And it’s a normal proprietor as outlined within the OpenZeppeling’s Ownable contract.
Coverage
Proprietor
The proprietor can change the tackle designed because the operator. And it’s a normal proprietor as outlined within the OpenZeppeling’s Ownable contract.
Severity Classification
Safety dangers are categorised as follows:
- Important: These are points that we handle to use. They compromise the system critically. They have to be fastened instantly.
- Medium: These are doubtlessly exploitable points. Although we didn’t handle to use them or their affect is just not clear, they may characterize a safety danger within the close to future. We recommend fixing them as quickly as doable.
- Minor: These points characterize issues which are comparatively small or tough to benefit from however will be exploited together with different points. These sorts of points don’t block deployments in manufacturing environments. They need to be taken into consideration and be fastened when doable.
Points Standing
A difficulty detected by this audit can have 4 distinct statuses:
- Unresolved: The problem has not been resolved.
- Acknowledged: The problem stays within the code however is a results of an intentional resolution.
- Resolved: Adjusted program implementation to remove the chance.
- Partially resolved: Adjusted program implementation to remove a part of the chance. The opposite half stays within the code however is a results of an intentional resolution.
- Mitigated: Applied actions to reduce the affect or probability of the chance
Important Severity Points
No points had been discovered.
Medium Severity Points
ME-01 Outdated Model of the Solidity Compiler
All contracts require the solidity compiler main model to be 0.8:
pragma solidity ^0.8.0;
Nonetheless, this could enable older compiler variations with necessary bugs. Significantly, it will enable solidity <0.8.3 that accommodates an ABI decoder Bug (see https://weblog.soliditylang.org/2021/04/21/decoding-from-memory-bug/ )
Because the contracts use the abi.encode() operate in a number of locations (Forwarder.sol:35,49) the seriousness of this concern was upgraded to medium.
Advice
Specify the most recent model of the solidity compiler (0.8.12 on the time of this report)
Standing
Resolved. In commit a70bda94e5918e1fff53d656c056d2db0b882401, the solidity compiler model was up to date to the beneficial model.
Minor Severity Points
No points had been discovered.
No enhancements had been discovered.
The preliminary token provide is transferred to the contract proprietor. Token contract provides ‘Core contracts’ Operator performance to ERC777, who haven’t any limitations to switch tokens from/to any account.
- 2022-03-04 – Preliminary report based mostly on commit b2e3a17f7f8c8d220fc135fc9a8364fdf07d51c.
- 2022-03-14 – Fixes checked on commit a70bda94e5918e1fff53d656c056d2db0b882401.
Disclaimer: This audit report is just not a safety guarantee, funding recommendation, or an approval of the Mokens League venture since CoinFabrik has not reviewed its platform. Furthermore, it doesn’t present a wise contract code faultlessness assure.
