JonesDAO GLP-USDC Vaults
Smart Contract Audit Report
Audit Summary
JonesDAO is creating a new platform on the Arbitrum network that enables users to stake GLP and Stable tokens into Vaults to earn rewards that can be optionally compounded.
For this audit, we reviewed the JonesDAO GLP Vault contracts at commit 13ec06a86e564947c0d526c501149aae20ec359a on the team's private GitHub repository.
We previously reviewed the JonesDAO GLP Vault V2 contracts here.
Audit Findings
All findings have been resolved, though centralized aspects are present.
Date: January 25th, 2023.
Updated: January 26th, 2023 to reflect changes from commit 319e65fd81c3d0d7839bfacec2ed2868ce662d26 to commit 13ec06a86e564947c0d526c501149aae20ec359a.Finding #1 - JonesGlpCompoundRewards - High (Resolved)
Description: The virtualToAssets() function incorrectly calculates the amount of Vault Shares the user has deposited based on an amount of total assets the user is redeeming. This may lead to an arithmetic underflow when deducting from the receiver's virtual balance or the function may return an amount that is less than expected.
Risk/Impact: Calls to redeem() in the JonesGlpCompoundRewards contract or unCompoundStableRewards() in the JonesGlpVaultRouter contract may revert if an underflow is met, or proceed with incorrect values.function virtualToAssets(uint256 assets) public view returns (uint256) { return assets.mulDiv(totalAssets, virtualTotalAssets, Math.Rounding.Down); }
Recommendation: The virtualToAssets() function should be modified to determine the amount of assets to deduct from the user's virtual balance based on the percentage of the value that the user's current virtual balance represents in relation to the total value of all the user's shares.
Resolution: The team has implemented the above recommendation.function virtualToAssets(address recipient, uint256 assets) public view returns (uint256) { uint256 valueOfAllShares = _convertToAssets(balanceOf(recipient), Math.Rounding.Down); return assets.mulDiv(virtualBalance[recipient], valueOfAllShares, Math.Rounding.Down); }
Finding #2 - JonesGlpLeverageStrategy - High (Resolved)
Description: The residualStable variable does not accurately track the contract's Stable token balance. When calculating the difference needed to borrow from the Stable Vault for a swap, the contract borrows less Stable tokens than it needs to in order to facilitate the swap, causing the transaction to fail.
Risk/Impact: Major functionality of the platform will fail, including deposits and withdrawals through the Vault Router unless Stable tokens are transferred to the Strategy contract to correct for the balance discrepancy between the residualStable variable and the contract's Stable token balance.
Recommendation: The team should use the contract's current Stable balance to calculate the required amount to be borrowed from the Stable Vault.
Resolution: The team has implemented the above recommendation.
Finding #3 - JonesGlpLeverageStrategy - High (Resolved)
Description: In the getUnderlyingGlp() function, the following lines calculating the contract's underlying GLP can result in an underflow if the GLP amount needed to repay the contract's Stable debt is greater than the contract's GLP balance. If the GLP price significantly falls after Stable tokens are leveraged, the GLP needed to pay back the contracts Stable debt could increase to an amount that is larger than the contract's GLP balance.
Risk/Impact: As this function is called frequently across the contract, core functionality of the Vault Router and this contract will fail if this scenario occurs, disabling the platform from further use unless the GLP price rises to a point where the contract's GLP balance is sufficient to pay back the Stable debt.if (stableDebt > 0) { (uint256 glpAmount,) = _getRequiredGlpAmount(stableDebt + 2); return currentBalance - glpAmount; }
Recommendation: The getUnderlyingGlp() function should return an underlying GLP amount of 0 if the contract's GLP balance is less than the required amount needed to pay back its Stable token debt.
Resolution: The team has implemented the above recommendation.
Finding #4 - JonesGlpCompoundRewards - High (Resolved)
Description: If a user transfers their Stable Compounder shares to another user, their associated GlpJonesRewards shares are not transferred as well. As a result, the receiver will not be able to redeem their Stable shares through the Vault Router contract as the Vault Router will attempt to withdraw their associated shares from the GlpJonesRewards contract, which they do not have.
Risk/Impact: Users will not be permitted to use transferred Stable Compounder shares redeem Stable tokens.
Recommendation: The sender and receiver's GlpJonesRewards staked balances should be adjusted whenever Stable Compounder shares are transferred.
Resolution: The team has implemented the above recommendation.
Finding #5 - JonesGlpVaultRouter & GlpAdapter - Informational (Resolved)
Description: A jGLPViewer contract is defined in both of these contracts, but never used. The GlpAdapter contract also contains a setter to update the jGLPViewer.
Recommendation: This variable can be removed from both of these contracts, along with the setter in the GlpAdapter contract.
Resolution: The team has implemented the above recommendation.
Contracts Overview
JonesGlpVault Contract:
- As the GmxRewardRouter, GMXVault, GlpManager, and Price Oracle contracts used for reward accrual and pricing are not included in the scope of this audit, we are unable to provide an assessment with regard to security or functionality.
- As the contracts are implemented with Solidity v0.8.0, they are safe from any possible overflows/underflows.
JonesGlpStableVault Contract:
- This contract implements ERC-4626 functionality to allow users to deposit GLP in exchange for shares.
- When GLP is deposited, the depositor is minted shares to represent their share of the total GLP of the Vault.
- When withdrawing, shares are redeemed for their GLP value.
- Only Operators can deposit and withdraw from the Vault.
- The Operator is intended to be set as the JonesGlpVaultRouter, which is used to facilitate all interactions with the Vault.
- An Operator can burn any amount of shares from any user at any time.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Operator Role and Borrower Role from any address at any time.
- A Borrower can execute a "borrow" at any time, which withdraws any specified amount of the Vault's assets at any time.
- A Borrower can execute a "repayment" at any time, which deposits their assets back into the Vault.
- The Borrower Role is intended to be granted to the JonesGlpLeverageStrategy leverage contract.
- The Governor can pause borrowing functionality at any time.
- The Governor can update the Price Oracle used to calculate the USD value of the Vault at any time.
- The Governor can update the associated Strategy address at any time.
JonesGlpVaultRouter Contract:
- This contract contains similar functionality to the JonesGlpVault contract, implementing ERC-4626 functionality to allow users to deposit Stable tokens in exchange for shares.
- When Stable tokens are deposited, the depositor is minted shares to represent their share of the total Stable tokens of the Vault.
- When withdrawing, shares are redeemed for their Stable token value.
- Only Operators can deposit and withdraw from the Vault.
- The Operator is intended to be set as the JonesGlpVaultRouter, which is used to facilitate all interactions with the Vault.
- An Operator can burn any amount of shares from any user at any time.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Operator Role and Borrower Role from any address at any time.
- A Borrower can execute a "borrow" at any time, which withdraws any specified amount of the Vault's assets at any time.
- A Borrower can execute a "repayment" at any time, which deposits their assets back into the Vault.
- The Borrower Role is intended to be granted to the JonesGlpLeverageStrategy leverage contract.
- The Governor can pause borrowing functionality at any time.
- The Governor can update the Price Oracle used to calculate the USD value of the Vault at any time.
- The Governor can update the associated Strategy address at any time.
- An emergency withdrawal function exists, allowing the Governor to withdraw all Stable tokens from the contract at any time.
JonesGlpLeverageStrategy Contract:
- This contract allows users to deposit and redeem GLP and Stable tokens from their respective Vaults.
- Functionality from the associated JonesGlpLeverageStrategy contract is triggered upon various interactions with this contract.
- When a user deposits GLP, it is transferred to the associated JonesGlpVault contract.
- If the user chooses to compound, the resulting shares are deposited into the associated GLP JonesGlpCompoundRewards contract on behalf of the user.
- If the user chooses not to compound, the resulting shares from the vault are instead staked into the GLP JonesGlpRewardTracker on behalf of the user.
- GLP cannot be deposited if it results in the USD value of the JonesGlpLeverageStrategy contract's total underlying GLP exceeding its maximum allowed USD value.
- This limitation can be bypassed if the caller's Role, fetched from the associated Whitelistcontroller contract, has permission to exceed this cap.
- The Strategy's underlying GLP balance is defined as its GLP balance that is unreserved for Stable token debt.
- The maximum allowed USD value is calculated as a percentage of the sum of the Stable Vault's balance and debt.
- The Governor can update this percentage to any amount at any time.
- Contracts cannot deposit GLP or Stable tokens unless they have been whitelisted by the associated WhiteListController contract.
- When redeeming GLP, a user's staked shares are withdrawn from the GLP Reward Tracker or Glp Compound Rewards contract and subsequently burned.
- The GLP value of these shares is then withdrawn from the Strategy contract to this contract after a fee is taken by the Strategy.
- A fee is then taken from the withdrawn amount. The fee amount is redeemed through the GmxRewardRouter contract for WETH.
- Two-thirds of the fee is transferred to the IncentiveReceiver address and one-third is deposited into the GLP Reward Tracker.
- As the IncentiveReceiver contract was not included in the scope of this audit, we are unable to provide an assessment with regard to its security or functionality.
- The remaining GLP after fees is transferred to the user.
- Users will not be able to withdraw if the amount is greater than the Strategy contract's underlying GLP balance.
- When depositing Stable tokens, the amount is transferred into the associated JonesGlpStableVault contract.
- If the user chooses to compound, the resulting shares are deposited into the associated Stable JonesGlpCompoundRewards contract on behalf of the user.
- If they choose not to compound, the shares are then staked into the Stable JonesGlpRewardTracker on behalf of the user and they are marked as staked in the GlpJonesRewards contract.
- In order to withdraw Stable tokens, non-exempt users must first submit a withdrawal request.
- This withdraws the user's shares from the Stable Reward Tracker or Reward Compounder contract and stores them in this contract.
- The user must then wait for the "exit cooldown" to pass until they can redeem their shares.
- The exit cooldown is defined as a certain number of "epochs", or days.
- A user can only submit one withdrawal request per epoch.
- The Stable value of redeemed shares is determined at the time of redemption.
- If the Stable Vault does not have a large enough balance to allow a redemption, the difference is redeemed using the associated Strategy contract.
- Users must pay a "GMX fee" on this difference, which is determined by the Strategy contract.
- In addition to any GMX fees paid, a Stable withdrawal fee is taken from the user's total withdrawal amount and deposited as rewards into the Stable JonesGlpRewardTracker contract.
- This fee is calculated as the difference between the Stable fee assigned to the user's Role and the GMX fee, or 0 if the GMX fee is larger.
- A user can cancel a withdrawal request as long as the request has not been redeemed.
- Roles with bypass permissions can execute Stable withdrawals instantly without having to submit a request.
- Bypassing users are still subject to the same fees.
- A user can claim any rewards earned from the Strategy contract, GlpJonesRewards contract, and both the Stable and GLP JonesGlpRewardTracker contracts at any time.
- A user can also choose to compound their rewards earned from Stable and GLP deposits at any time if they did not choose to compound at the time of depositing.
- When compounding, the user's specified number of shares is withdrawn from the Stable or GLP Reward Tracker contract.
- Any accrued rewards are claimed and deposited into the appropriate Vault in exchange for shares. If compounding GLP, rewards are first swapped from WETH to GLP using the GmxRewardRouter contract before being deposited.
- These shares are then combined and deposited into the appropriate Rewards Compounder contract.
- Users can "uncompound" their shares at any time without redemption if desired.
- This redeems the user's shares from the Rewards Compounder contract and stakes them into the appropriate Reward Tracker contract on their behalf.
- When uncompounding Stable rewards, the user's accrued rewards are added to their tracked staked amount in the GlpJonesRewards contract.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Keeper Role from any address at any time.
- The Governor can pause or emergency pause the contract at any time.
- While paused, users cannot deposit GLP or Stable assets.
- While emergency paused, users cannot redeem GLP shares, redeem Stable token shares, or submit Stable token withdrawal requests.
- The Governor can update the exit cooldown to any number of epochs at any time.
- The Governor can update the GlpJonesRewards, JonesGlpLeverageStrategy, IncentiveReceiver, and GlpAdapter addresses at any time.
- The Governor can update the GLP and Stable token addresses at any time.
- The Governor can update the GLP and Stable JonesGlpVault, JonesGlpRewardTracker, and JonesGlpCompoundRewards addresses at any time.
WhiteListController Contract:
- This contract is used to accrue rewards on funds deposited into the platform's Stable and Glp vaults.
- This is done by staking vault funds into the GmxRewardRouter contract; as this contract was not included in the scope of the audit, we are unable to provide an assessment with regard to security or functionality.
- Whenever GLP is deposited using the JonesGlpVaultRouter contract, the funds are taken from the vault and used for "rebalancing".
- Rebalancing functionality is determined by the current "leverage", which is the ratio of the contract's GLP balance to its underlying GLP.
- If the current leverage is under the minimum threshold, meaning there is a high GLP balance compared to current Stable debt, the contract leverages up by borrowing Stable tokens from its Vault and staking it into the GmxRewardRouter.
- If the current leverage is greater than the maximum threshold, the contract deleverages by unstaking Stable tokens from the GmxRewardRouter and returning the resulting Stable tokens to its Vault.
- The amount to borrow or repay is determined by the required amount to reach the contract's "target leverage".
- If the current leverage is already within the accepted bounds, Stable tokens are borrowed from the Stable Vault and swapped for GLP using the GmxRewardRouter contract. The amount borrowed is dependent on the deposit amount and the target leverage.
- A fee is taken from GLP redemptions in order to fund GMXVault fees on swaps.
- When redeeming, the contract will deleverage a portion of its GLP if it is overleveraged. The amount deleveraged is dependent on the current excess GLP of the contract and the desired leverage.
- A rebalance then occurs if the contract has any underlying GLP.
- A redemption will fail if the contract does not have a sufficient underlying GLP balance to supply the redemption amount.
- When rewards are claimed, this contract claims its rewards from the GmxRewardRouter contract and distributes them using the JonesGlpRewardDistributor and JonesGlpRewardsSplitter contracts.
- If any Stable token swap for GLP results in the GMXVault exceeding its Stable token limit, the maximum permitted amount is swapped instead.
- Only an Operator can trigger Strategy functionality that is intended to be executed on deposits, withdrawals, and claims.
- Only the JonesGlpVaultRouter contract is intended to be set as an Operator.
- The Governor can transfer the Governor Role to any address at any time
- The Governor can grant or revoke the Keeper Role from any address at any time.
- The Governor can grant or revoke the Operator Role from any address at any time.
- The Keeper Role can execute a rebalance at any time.
- The Keeper Role can leverage up or down at any time as long as the resulting leverage does not exceed the maximum or minimum permitted leverages, respectively.
- This borrows Stable tokens from the Stable Vault and swaps them for GLP using the GmxRewardRouter contract.
- The Governor can liquidate at any time, which redeems this contract's GLP for Stable tokens through the GmxRewardRouter contract and uses it to repay its Stable debt.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Keeper and Operator Roles from any address at any time.
- The Governor can withdraw the contract's GLP balance to any address at any time.
- The Governor can transfer the contract's staked balances in the GmxRewardRouter to any address, or accept a transfer from another address at any time.
- The Governor can update the minimum, maximum, and target leverages at any time.
GlpAdapter Contract:
- This contract is used to manage user and contract permissions in the JonesGlpVaultRouter contract.
- The owner can create a new Role with custom permissions at any time.
- These permissions consist of GLP cap bypassing, instant Stable redemptions, and custom Stable and GLP redemption fees.
- The owner can grant or revoke any Role from any address at any time.
- The owner can add or remove any address from the Users Whitelist at any time.
- The owner can add or remove any address from the Contracts Whitelist at any time.
- The owner can update the Default Role at any time.
GlpJonesRewards Contract:
- This contract allows users and supported contracts to swap supported tokens or ETH for GLP which is deposited into the JonesGlpVaultRouter contract.
- Only externally owned addresses (EOAs) and contracts on the whitelist in the WhitelistController contract may deposit using the contract.
- When the "hatlist" is enabled, addresses must also be on the hatlist to deposit.
- The contract uses an off-chain generated Merkle tree provided by the Governor to store and verify addresses that are on the hatlist.
- When depositing, the specified token or ETH amount is transferred to this contract and staked into the GmxRewardRouter contract in exchange for GLP.
- The resulting GLP is then staked into the JonesGlpVaultRouter contract on behalf of the user.
- The user can also specify whether they would like to enable compounding for their deposit.
- Users can also use this contract to deposit GLP directly into the JonesGlpVaultRouter contract.
- Users can use this contract to deposit USDC as a Stable token into the JonesGlpVaultRouter contract.
- If the "flexible cap" is enabled users may only deposit into the associated Strategy contract up to the "usdc cap".
- The usdc cap is a percentage of the product of the Strategy's target leverage and the "flexible total cap" value.
- Users can use this contract to redeem a specified amount of shares through the JonesGlpVaultRouter contract.
- The Governor can update the GmxRewardRouter, JonesGlpVaultRouter, and jGLPViewer addresses at any time.
- The Governor can add or remove any token from the supported token list at any time.
- The Governor can grant or revoke the Operator role from any address at any time.
- The Governor can update the Merkle tree root at any time.
- The Governor can toggle whether the contract is using the hatlist at any time.
- The Governor can toggle whether the contract is using the flexible cap and the flexible cap value at any time.
JonesGlpRewardTracker Contract:
- This contract is used to distribute collected reward tokens over time to users who have staked Stable tokens.
- When the contract receives reward tokens for distribution, they are distributed over a period defined by the Governor.
- If reward distribution is already occurring, the existing rewards left to be distributed are added to the newly received amount and the new total is distributed over the defined period.
- Vault shares earned from the Stable Compounder contract do not automatically increase a user's staked amount in this contract.
- The Governor can update the period over which received rewards are distributed at any time.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Operator Role from any address at any time.
JonesGlpRewardDistributor Contract:
- This contract is used by the JonesGlpVaultRouter to stake GLP and Stable Vault share tokens for rewards.
- Only the Operator contract can stake, withdraw, claim, and deposit rewards. The Operator is intended to be set to the JonesGlpVaultRouter contract.
- Fees taken from Stable and GLP redemptions are transferred to this contract to be distributed for rewards.
- The GLP JonesGlpRewardTracker contract's rewards are accrued in the form of WETH, and the Stable JonesGlpRewardTracker contract's rewards are accrued in the form of Stable tokens.
- The Operator or Keeper can call the updateRewards() function to manually update the contract's rewards.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Operator Role from any address at any time.
- The Governor can update the associated JonesGlpRewardDistributor and JonesGlpRewardsSwapper addresses at any time.
- The Governor address can set the Incentive Receiver address, which receives rewards if no users are staked, to any address at any time.
JonesGlpRewardsSplitter Contract:
- This contract is used to distribute received WETH rewards earned from the GmxRewardRouter contract to various destinations.
- Upon receiving rewards, the portions to be distributed to the IncentiveReceiver, Stable JonesGlpRewardTracker, and GLP JonesGlpRewardTracker contracts are calculated by the associated JonesGlpRewardsSplitter contract.
- IncentiveReceiver rewards are immediately deposited to the IncentiveReceiver address; the JonesGlpRewardTracker rewards are stored in the contract until they are collected by the JonesGlpRewardTracker contracts.
- The Governor can transfer the Governor Role to any address at any time.
- The Governor can grant or revoke the Operator Role from any address at any time.
- The Governor can update the associated Splitter contract at any time.
- The Governor can update the IncentiveReceiver, StableTracker, and GlpTracker addresses at any time.
JonesGlpRewardsSwapper Contract:
- This contract is used to calculate the distribution of rewards between the IncentiveReceiver, Stable JonesGlpRewardTracker, and GLP JonesGlpRewardTracker contracts.
- The amount distributed to each Reward Tracker contract is determined by the platform's current leverage, utilization, and calculated reward amount for the IncentiveReceiver.
- The IncentiveReceiver's reward amount is determined by the "Jones rewards percentage" of the remaining rewards after the GLP Reward Tracker's reward amount has been calculated.
- The Governor can update the Jones rewards percentage to any value at any time.
JonesGlpCompoundRewards Contract:
- This contract is used by the Stable JonesGlpRewardTracker contract to swap WETH rewards for Stable tokens.
- When swapped, WETH is transferred from the Tracker to this contract, swapped for Stable tokens, and returned to the Tracker contract.
- A Chainlink Oracle is used to ensure that the expected number of tokens is received by the contract when a swap is made.
- Only an Operator can initiate a swap.
- The Governor can update the accepted slippage amount to any value between 0.1% and 2% at any time.
- The Governor can grant or revoke the Operator role from any address at any time.
- This contract is used to compound rewards earned from either GLP or Stable deposits to their respective Vaults.
- Two instances of this contract are intended to exist: one for GLP compounding, and one for Stable compounding.
- Only an Operator, intended to be the JonesGlpVaultRouter contract, can deposit and redeem.
- When a deposit is made on behalf of a user, staking tokens are transferred to this contract and staked into the associated JonesGlpRewardTracker contract to earn rewards for this contract.
- The user is then minted shares to represent their share of the total deposited staking tokens.
- When a redemption is made for a user, their shares are burned, but their staking tokens are not transferred.
- Instead, the staking tokens are withdrawn from the JonesGlpRewardTracker contract and redeposited on behalf of the user.
- When compounder shares are transferred, the sender and recipient's GlpJonesRewards staked balances are proportionally updated.
- An Operator or Keeper can compound rewards at any time.
- This uses the JonesGlpVaultRouter to claim all Stable rewards or WETH rewards, depending on if this contract is used as the Stable Compounder or the GLP Compounder.
- If the contract is used for GLP compounding, a GLP fee is taken from the earned WETH rewards and deposited into the IncentiveReceiver address.
- The remainder is staked into the GmxRewardRouter in exchange for GLP.
- This GLP is then deposited through the JonesGlpVaultRouter contract, which will stake the resulting GLP Vault shares to increase this contract's total staked amount.
- Stable rewards are simply deposited into the JonesGlpVaultRouter for the same effect.
- Rewards are automatically compounded by the Vault Router contract before it makes a deposit or withdrawal from this contract.
- The Governor can withdraw any GLP or Stable staked by this contract, or any other token, at any time. This contract does not have to submit a Stable token withdrawal request and can instead redeem instantly.
- The Governor can update the staking token, JonesGlpVaultRouter, IncentiveReceiver, JonesGlpRewardTracker, and GmxRewardRouter at any time.
- The Governor can grant or revoke the Keeper and Operator Roles from any address at any time.
Audit Results
Vulnerability Category | Notes | Result |
---|---|---|
Arbitrary Jump/Storage Write | N/A | PASS |
Centralization of Control |
|
WARNING |
Compiler Issues | N/A | PASS |
Delegate Call to Untrusted Contract | N/A | PASS |
Dependence on Predictable Variables | N/A | PASS |
Ether/Token Theft | N/A | PASS |
Flash Loans | N/A | PASS |
Front Running | PASS | |
Improper Events | N/A | PASS |
Improper Authorization Scheme | N/A | PASS |
Integer Over/Underflow | N/A | PASS |
Logical Issues | N/A | PASS |
Oracle Issues | N/A | PASS |
Outdated Compiler Version | N/A | PASS |
Race Conditions | N/A | PASS |
Reentrancy | N/A | PASS |
Signature Issues | N/A | PASS |
Sybil Attack | N/A | PASS |
Unbounded Loops | N/A | PASS |
Unused Code | N/A | PASS |
Overall Contract Safety | PASS |
Contract Source Summary and Visualizations
Name |
Address/Source Code |
Visualized |
JonesGlpVault |
||
JonesGlpStableVault |
||
JonesGlpVaultRouter |
||
JonesGlpLeverageStrategy |
||
WhitelistController |
||
GlpAdapter |
||
GlpJonesRewards |
||
JonesGlpRewardDistributor |
||
JonesGlpRewardTracker |
||
JonesGlpRewardsSplitter |
||
JonesGlpRewardsSwapper |
||
JonesGlpCompoundRewards |
About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.