GEMS P2E
Smart Contract Audit Report
Audit Summary
GEMS is building a new platform where users can enter tournaments to win tokens or ETH.
For this audit, we reviewed the project team's P2E contract at commit a139e73164d8cd213d8fba420cfedca862b902bb on the team's private Git repository.
Audit Findings
All findings have been resolved, though some centralized aspects are present.
Date: January 27th, 2023.
Updated: January 30th, 2023 to reflect updates made to the contract by the project team that resolve all Findings.Finding #1 - P2E - High (Resolved)
Description: The createTournament() function enables the tournament creator to specify any token address as the currency for the entry fee, including fee-on-transfer tokens. However, the platform does not have fee-on-transfer support.
Risk/Impact: If a fee-on-transfer token is added as a fee currency and a user calls the lockFunds() function, thetournament.totalFundCollectedvalue will be greater than the contract's token balance. If another tournament has not used this currency, the withdrawalAllTournamentFunds() function will not successfully execute as the function will be attempting to transfer more tokens than the contract's balance. In the case of multiple tournaments using the same fee currency, the tournament will be using funds from another tournament.
Recommendation: The team should implement fee-on-transfer support in the lockFunds() and transferWinningFunds() functions by recording the contract's original token balance before initiating a transfer. After the transfer occurs, all relevant values should be adjusted based on the difference between the contract's new balance and the originally recorded balance. Alternatively, the team could restrict users to using only pre-approved, non-fee-on-transfer tokens as the fee currency.
Resolution: The team has restricted users to only adding pre-approved tokens as the fee currency. The team must exercise caution to not add a fee-on-transfer token as an approved fee currency.
Finding #2 - P2E - Informational (Resolved)
Description: The following if-statement in the transferWinningFunds() function is redundant as the function previously requires thattournament.endedis false.
Recommendation: The above if-statement can be removed and the function can always execute thefunction transferWinningFunds( ... require(tournament.ended == false, "Tournament has already ended"); ... if (!tournament.ended) { tournament.ended = true; } ... }tournament.ended = true;logic for additional gas savings on each call.
Resolution: The team has implemented the above recommendation.
Finding #3 - P2E - Informational (Resolved)
Description: The withdrawalAllTournamentFunds() function is incorrectly declared payable as it should not require any ETH to be provided by the caller.
Recommendation: The payable modifier should be removed from the withdrawalAllTournamentFunds() function to prevent any accidental transfer of ETH from the caller to the contract.
Resolution: The team has removed the payable modifier from the withdrawalAllTournamentFunds() function.
Finding #4 - P2E - Informational (Resolved)
Description: Although the P2E contract inherits the Ownable contract, no owner-restricted functions are present.
Recommendation: The Ownable contract could be removed to reduce contract size and deployment costs.
Resolution: The team has added the allowNonNativeToken() function to the contract which uses theonlyOwnermodifier.
Contract Overview
- Anyone can use this contract to create a new Tournament at any time. The creator will specify an entry fee, reentry fee, and price pool value.
- The creator will also specify whether the entry/reentry fee is charged in ETH or a pre-approved token address set by the owner.
- The owner must exercise caution to not add a fee-on-transfer token as an approved fee currency. If a fee-on-transfer token is added, this contract must be excluded from the token contract's fee mechanism.
- Each Tournament will be assigned a unique ID number upon creation.
- Any user can enter an active Tournament by providing either ETH or the specified fee token to cover the cost of the tournament's fee.
- The entry fee for the tournament is charged when it's the user's first time entering a specific Tournament. The reentry fee is charged on all subsequent entries by the user.
- The user must grant the contract a sufficient allowance if the fee is charged in the specified fee token in order for the transaction to successfully occur.
- The Tournament creator can transfer winning funds for an active Tournament by specifying the winner's address and the winning amount.
- The winner's address and winning amount are determined by the creator and therefore our team cannot provide an assessment with regard to security.
- The winning amount must not exceed the total number of ETH or tokens collected through entry fees from all users for the Tournament.
- The winning amount is transferred from the contract to the winner's wallet address, and the tournament is concluded.
- The Tournament creator can withdraw all of the remaining ETH or fee tokens from the contract after their tournament has concluded.
- The owner can add any addresses to the approved fee currency list at any time.
- As the contract is implemented with Solidity v0.8.x, it is protected from overflows/underflows.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control | The winner's address and winning amount for each tournament is determined by the tournament creator. | WARNING |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running | N/A | PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | N/A | PASS |
| Signature Issues | N/A | PASS |
| Sybil Attack | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | N/A | PASS |
| Overall Contract Safety | PASS |
Inheritance Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Int] _checkOwner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Int] _transferOwnership #
+ ReentrancyGuard
- [Pub] #
- [Prv] _nonReentrantBefore #
- [Prv] _nonReentrantAfter #
- [Int] _reentrancyGuardEntered
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ P2E (Ownable, ReentrancyGuard)
- [Pub] allowNonNativeToken #
- modifiers: onlyOwner
- [Pub] createTournament #
- modifiers: nonReentrant
- [Pub] lockFunds ($)
- modifiers: nonReentrant
- [Pub] transferWinningFunds #
- [Pub] checkIfTokenAllowed
- [Pub] getFundsLocked
- [Pub] getTournament
- [Pub] withdrawalAllTournamentFunds #
- modifiers: nonReentrant
About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.