JonesDAO Vaults V2

Smart Contract Audit Report

Audit Summary

JonesDAO Vaults Audit Report JonesDAO is creating a new platform on the Arbitrum network that enables users to stake GLP and Stable tokens into Vaults to earn rewards that can be optionally compounded.

For this audit, we reviewed the JonesDAO GLP Vault contracts at commit 319e65fd81c3d0d7839bfacec2ed2868ce662d26 on the team's private GitHub repository.

We previously reviewed the JonesDAO GLP Vault contracts here. The latest audit report for the JonesDAO GLP Vault contracts can be viewed here.

Audit Findings

All findings have been resolved, though centralized aspects are present.
Date: January 18th, 2023.
Updated: January 25th, 2023 to reflect changes from commit 48e299c6b865fd802b7aca0c0e11ff87b0a144d7 to commit 319e65fd81c3d0d7839bfacec2ed2868ce662d26.

Finding #1 - JonesGlpRewardTracker - High (Resolved)

Description: In the depositRewards() function, the rewards per share is incorrectly incremented by the transferred reward amount. This will increase user rewards by more than they are due as each share will increase in value by the total amount deposited.
Risk/Impact: The first user to claim after a reward deposit will receive a much larger amount than they are due, resulting in a loss of rewards for other users.
Recommendation: The line updating the cumulativeRewardPerShare variable should be updated to the following:
_cumulativeRewardPerShare = _cumulativeRewardPerShare + ((rewards * PRECISION) / totalShares);
Resolution: The team has implemented the above recommendation.

Finding #2 - JonesGlpVaultRouter - High (Resolved)

Description: If a user deposits into a Vault using the GlpAdapter contract, their resulting vault shares are staked into the Reward Tracker or Reward Compounder contract on behalf of the GlpAdapter instead of the user.
Risk/Impact: Since the Vault Router contract attempts to withdraw user's shares from one of the Reward contracts upon any redemption, users will not be able to redeem their deposited tokens as they will not have a staked balance in the Reward contract.
Recommendation: Deposits into the Reward Tracker and Compound Rewards contracts should be made on behalf of the user instead of the GlpAdapter contract.
Resolution: The team has implemented the above recommendation.

Finding #3 - JonesGlpCompoundRewards - High (Resolved)

Description: The _convertToShares() and _convertToAssets() functions use the asset's decimals instead of the vault token's decimals when calculating the conversion between the contract's shares and the vault tokens.
Risk/Impact: If the asset and vault token have different decimals, users deposits and withdrawals from this contract and the GlpJonesRewards contract will be incorrect.
Recommendation: The team should use the vaultToken's decimals instead of the asset's decimals in the _convertToShares() and _convertToAssets() functions.
Resolution: The team has implemented the above recommendation.

Finding #4 - JonesGlpVaultRouter - Medium (Resolved)

Description: The setStableCompoundRewards() and setGlpCompoundRewards() functions update the stableCompoundRewards and glpCompoundRewards variables, but do not update the rewardCompounder mapping to the respective Compounder contract.
Risk/Impact: The Stable and GLP Compounders which Vault shares are deposited into and withdrawn from will not be updated, but the Stable Compounder used to calculate GlpJonesRewards redemptions will not be updated. This results in inconsistent reward calculations throughout the contract.
Recommendation: The rewardCompounder mapping should be updated for the specified token in the mentioned setter functions.
Resolution: The team has implemented the above recommendation.

Finding #5 - JonesGlpVaultRouter - Medium (Resolved)

Description: The setStableRewardTracker() and setGlpRewardTracker() functions update the stableCompoundRewards and glpCompoundRewards variables, but do not update the rewardTrackers mapping to the respective Reward Tracker contract.
Risk/Impact: This contract will use the previous Reward Tracker addresses for certain contract functionality after an update is made, breaking reward calculations and distributions.
Recommendation: The rewardTrackers mapping should be updated for the specified token in the mentioned setter functions.
Resolution: The team has implemented the above recommendation.

Finding #6 - JonesGlpCompoundRewards - Low (Resolved)

Description: The emergencyStableWithdraw() function attempts to redeem Stable tokens using the redeemStable() function, which requires a withdrawal request to have been made beforehand.
Risk/Impact: Emergency withdrawals will fail since this contract does not have the functionality to submit withdrawal requests. This will prevent the Governor from being permitted to redeem any Stable tokens.
Recommendation: The emergencyStableWithdraw() function should instead use the Vault Router's redeemStablesRole() function to instantly redeem Stable tokens.
Resolution: The emergencyStableWithdraw() function now instantly redeems Stable tokens.

Contracts Overview

  • As the GmxRewardRouter, GMXVault, and GlpManager, and Price Oracle contracts used for reward accrual and pricing are not included in the scope of this audit, we are unable to provide an assessment with regards to security or functionality.
  • As the contracts are implemented with Solidity v0.8.0, they are safe from any possible overflows/underflows.
JonesGlpVault Contract:
  • This contract implements ERC-4626 functionality to allow users to deposit GLP in exchange for shares.
  • When GLP is deposited, the depositor is minted shares to represent their share of the total GLP of the Vault.
  • When withdrawing, shares are redeemed for their GLP value.
  • Only Operators can deposit and withdraw from the Vault.
  • The Operator is intended to be set as the JonesGlpVaultRouter, which is used to facilitate all interactions with the Vault.
  • An Operator can burn any amount of shares from any user at any time.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Operator Role and Borrower Role from any address at any time.
  • A Borrower can execute a "borrow" at any time, which withdraws any specified amount of the Vault's assets at any time.
  • A Borrower can execute a "repayment" at any time, which deposits their assets back into the Vault.
  • The Borrower Role is intended to be granted to the JonesGlpLeverageStrategy leverage contract.
  • The Governor can pause borrowing functionality at any time.
  • The Governor can update the Price Oracle used to calculate the USD value of the Vault at any time.
  • The Governor can update the associated Strategy address at any time.
JonesGlpStableVault Contract:
  • This contract contains similar functionality to the JonesGlpVault contract, implementing ERC-4626 functionality to allow users to deposit Stable tokens in exchange for shares.
  • When Stable tokens are deposited, the depositor is minted shares to represent their share of the total Stable tokens of the Vault.
  • When withdrawing, shares are redeemed for their Stable token value.
  • Only Operators can deposit and withdraw from the Vault.
  • The Operator is intended to be set as the JonesGlpVaultRouter, which is used to facilitate all interactions with the Vault.
  • An Operator can burn any amount of shares from any user at any time.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Operator Role and Borrower Role from any address at any time.
  • A Borrower can execute a "borrow" at any time, which withdraws any specified amount of the Vault's assets at any time.
  • A Borrower can execute a "repayment" at any time, which deposits their assets back into the Vault.
  • The Borrower Role is intended to be granted to the JonesGlpLeverageStrategy leverage contract.
  • The Governor can pause borrowing functionality at any time.
  • The Governor can update the Price Oracle used to calculate the USD value of the Vault at any time.
  • The Governor can update the associated Strategy address at any time.
  • An emergency withdrawal function exists, allowing the Governor to withdraw all Stable tokens from the contract at any time.
JonesGlpVaultRouter Contract:
  • This contract allows users to deposit and redeem GLP and Stable tokens from their respective Vaults.
  • Functionality from the associated JonesGlpLeverageStrategy contract is triggered upon various interactions with this contract.
  • When a user deposits GLP, it is transferred to the associated JonesGlpVault contract.
  • If the user chooses to compound, the resulting shares are deposited into the associated GLP JonesGlpCompoundRewards contract on behalf of the user.
  • If the user chooses not to compound, the resulting shares from the vault are instead staked into the GLP JonesGlpRewardTracker on behalf of the user.
  • GLP cannot be deposited if it results in the USD value of the JonesGlpLeverageStrategy contract's total underlying GLP exceeding its maximum allowed USD value.
  • This limitation can be bypassed if the caller's Role, fetched from the associated Whitelistcontroller contract, has permission to exceed this cap.
  • The Strategy's underlying GLP balance is defined as its GLP balance that is unreserved for Stable token debt.
  • The maximum allowed USD value is calculated as a percentage of the sum of the Stable Vault's balance and debt.
  • The Governor can update this percentage to any amount at any time.
  • Contracts cannot deposit GLP or Stable tokens unless they have been whitelisted by the associated WhiteListController contract.
  • When redeeming GLP, a user's staked shares are withdrawn from the GLP Reward Tracker or Glp Compound Rewards contract and subsequently burned.
  • The GLP value of these shares is then withdrawn from the Strategy contract to this contract after a fee is taken by the Strategy.
  • A fee is then taken from the withdrawn amount. The fee amount is redeemed through the GmxRewardRouter contract for WETH.
  • Two-thirds of the fee is transferred to the IncentiveReceiver address and one-third is deposited into the GLP Reward Tracker.
  • As the IncentiveReceiver contract was not included in the scope of this audit, we are unable to provide an assessment with regards to its security or functionality.
  • The remaining GLP after fees is transferred to the user.
  • Users will not be able to withdraw if the amount is greater than the Strategy contract's underlying GLP balance.
  • When depositing Stable tokens, the amount is transferred into the associated JonesGlpStableVault contract.
  • If the user chooses to compound, the resulting shares are deposited into the associated Stable JonesGlpCompoundRewards contract on behalf of the user.
  • If they choose not to compound, the shares are then staked into the Stable JonesGlpRewardTracker on behalf of the user and they are marked as staked in the GlpJonesRewards contract.
  • In order to withdraw Stable tokens, non-exempt users must first submit a withdrawal request.
  • This withdraws the user's shares from the Stable Reward Tracker or Reward Compounder contract and stores them in this contract.
  • The user must then wait for the "exit cooldown" to pass until they can redeem their shares.
  • The exit cooldown is defined as a certain number of "epochs", or days.
  • A user can only submit one withdrawal request per epoch.
  • The Stable value of redeemed shares is determined at the time of redemption.
  • If the Stable Vault does not have a large enough balance to allow a redemption, the difference is redeemed using the associated Strategy contract.
  • Users must pay a "GMX fee" on this difference, which is determined by the Strategy contract.
  • In addition to any GMX fees paid, a Stable withdrawal fee is taken from the user's total withdrawal amount and deposited as rewards into the Stable JonesGlpRewardTracker contract.
  • This fee is calculated as the difference between the Stable fee assigned to the user's Role and the GMX fee, or 0 if the GMX fee is larger.
  • A user can cancel a withdrawal request as long as the request has not been redeemed.
  • Roles with bypass permissions have the ability to execute Stable withdrawals instantly without having to submit a request.
  • Bypassing users are still subject to the same fees.
  • A user can claim any rewards earned from the Strategy contract, GlpJonesRewards contract, and both the Stable and GLP JonesGlpRewardTracker contracts at any time.
  • A user can also choose to compound their rewards earned from Stable and GLP deposits at any time if they did not choose to compound at the time of depositing.
  • When compounding, the user's specified number of shares are withdrawn from the Stable or GLP Reward Tracker contract.
  • Any accrued rewards are claimed and deposited into the appropriate Vault in exchange for shares. If compounding GLP, rewards are first swapped from WETH to GLP using the GmxRewardRouter contract before being deposited.
  • These shares are then combined and deposited into the appropriate Rewards Compounder contract.
  • Users can "uncompound" their shares at any time without redemption if desired.
  • This redeems the user's shares from the Rewards Compounder contract and stakes them into the appropriate Reward Tracker contract on their behalf.
  • When uncompounding Stable rewards, the user's accrued rewards are added to their tracked staked amount in the GlpJonesRewards contract.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Keeper Role from any address at any time.
  • The Governor can pause or emergency pause the contract at any time.
  • While paused, users cannot deposit GLP or Stable assets.
  • While emergency paused, users cannot redeem GLP shares, redeem Stable token shares, or submit Stable token withdrawal requests.
  • The Governor can update the exit cooldown to any number of epochs at any time.
  • The Governor can update the GlpJonesRewards, JonesGlpLeverageStrategy, IncentiveReceiver, and GlpAdapter addresses at any time.
  • The Governor can update the GLP and Stable token addresses at any time.
  • The Governor can update the GLP and Stable JonesGlpVault, JonesGlpRewardTracker, and JonesGlpCompoundRewards addresses at any time.
JonesGlpLeverageStrategy Contract:
  • This contract is used to accrue rewards on funds deposited into the platform's Stable and Glp vaults.
  • This is done by staking vault funds into the GmxRewardRouter contract; as this contract was not included in the scope of the audit, we are unable to provide an assessment with regards to security or functionality.
  • Whenever GLP is deposited using the JonesGlpVaultRouter contract, the funds are taken from the vault and used for "rebalancing".
  • Rebalancing functionality is determined by the current "leverage", which is the ratio of the contract's GLP balance to its underlying GLP.
  • If the current leverage is under the minimum threshold, meaning there is a high GLP balance compared to current Stable debt, the contract leverages up by borrowing Stable tokens from its Vault and staking it into the GmxRewardRouter.
  • If the current leverage is greater than the maximum threshold, the contract deleverages by unstaking Stable tokens from the GmxRewardRouter and returning the resulting Stable tokens to its Vault.
  • The amount to borrow or repay is determined by the required amount to reach the contract's "target leverage".
  • If the current leverage is already within the accepted bounds, Stable tokens are borrowed from the Stable Vault and swapped for GLP using the GmxRewardRouter contract. The amount borrowed is dependent on the deposit amount and the target leverage.
  • A fee is taken from GLP redemptions in order to fund GMXVault fees on swaps.
  • When redeeming, the contract will deleverage a portion of its GLP if it is overleveraged. The amount deleveraged is dependent on the current excess GLP of the contract and the desired leverage.
  • A rebalance then occurs if the contract has any underlying GLP.
  • A redemption will fail if the contract does not have a sufficient underlying GLP balance to supply the redemption amount.
  • When rewards are claimed, this contract claims its rewards from the GmxRewardRouter contract and distributes them using the JonesGlpRewardDistributor and JonesGlpRewardsSplitter contracts.
  • If any Stable token swap for GLP results in the GMXVault exceeding its Stable token limit, the maximum permitted amount is swapped instead.
  • Only an Operator can trigger Strategy functionality that is intended to be executed on deposits, withdrawals, and claims.
  • Only the JonesGlpVaultRouter contract is intended to be set as an Operator.
  • The Governor can transfer the Governor Role to any address at any time
  • The Governor can grant or revoke the Keeper Role from any address at any time.
  • The Governor can grant or revoke the Operator Role from any address at any time.
  • The Keeper Role can execute a rebalance at any time.
  • The Keeper Role can leverage up or down at any time as long as the resulting leverage does not exceed the maximum or minimum permitted leverages, respectively.
  • This borrows Stable tokens from the Stable Vault and swaps them for GLP using the GmxRewardRouter contract.
  • The Governor can liquidate at any time, which redeems this contract's GLP for Stable tokens through the GmxRewardRouter contract and uses it to repay its Stable debt.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Keeper and Operator Roles from any address at any time.
  • The Governor can withdraw the contract's GLP balance to any address at any time.
  • The Governor can transfer the contract's staked balances in the GmxRewardRouter to any address, or accept a transfer from another address at any time.
  • The Governor can update the minimum, maximum, and target leverages at any time.
WhiteListController Contract:
  • This contract is used to manage user and contract permissions in the JonesGlpVaultRouter contract.
  • The owner can create a new Role with custom permissions at any time.
  • These permissions consist of GLP cap bypassing, instant Stable redemptions, and custom Stable and GLP redemption fees.
  • The owner can grant or revoke any Role from any address at any time.
  • The owner can add or remove any address from the users Whitelist at any time.
  • The owner can add or remove any address from the contracts Whitelist at any time.
  • The owner can update the Default Role at any time.
GlpAdapter Contract:
  • This contract allows users and supported contracts to swap supported tokens or ETH for GLP which is deposited into the JonesGlpVaultRouter contract.
  • Only externally owned addresses (EOAs) and contracts on the whitelist in the WhitelistController contract may deposit using the contract.
  • When the "hatlist" is enabled, addresses must also be on the hatlist to deposit.
  • The contract uses an off-chain generated Merkle tree provided by the Governor to store and verify addresses that are on the hatlist.
  • When depositing, the specified token or ETH amount is transferred to this contract and staked into the GmxRewardRouter contract in exchange for GLP.
  • The resulting GLP is then staked into the JonesGlpVaultRouter contract on behalf of the user.
  • The user can also specify whether they would like to enable compounding for their deposit.
  • Users can also use this contract to deposit GLP directly into the JonesGlpVaultRouter contract.
  • Users can use this contract to deposit USDC as a Stable token into the JonesGlpVaultRouter contract.
  • If the "flexible cap" is enabled users may only deposit into the associated Strategy contract up to the "usdc cap".
  • The usdc cap is a percentage of the product of the Strategy's target leverage and the "flexible total cap" value.
  • Users can use this contract to redeem a specified amount of shares through the JonesGlpVaultRouter contract.
  • The Governor can update the GmxRewardRouter, JonesGlpVaultRouter, and jGLPViewer addresses at any time.
  • The Governor can add or remove any token from the supported token list at any time.
  • The Governor can grant or revoke the Operator role from any address at any time.
  • The Governor can update the Merkle tree root at any time.
  • The Governor can toggle whether the contract is using the hatlist at any time.
  • The Governor can toggle whether the contract is using the flexible cap and the flexible cap value at any time.
GlpJonesRewards Contract:
  • This contract is used to distribute collected reward tokens over time to users who have staked Stable tokens.
  • When the contract receives reward tokens for distribution, they are distributed over a period defined by the Governor.
  • If reward distribution is already occurring, the existing rewards left to be distributed are added to the newly received amount and the new total is distributed over the defined period.
  • Vault shares earned from the Stable Compounder contract do not automatically increase a user's staked amount in this contract.
  • The Governor can update the period of which received rewards are distributed over at any time.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Operator Role from any address at any time.
JonesGlpRewardTracker Contract:
  • This contract is used by the JonesGlpVaultRouter to stake GLP and Stable Vault share tokens for rewards.
  • Only the Operator contract can stake, withdraw, claim, and deposit rewards. The Operator is intended to be set to the JonesGlpVaultRouter contract.
  • Fees taken from Stable and GLP redemptions are transferred to this contract to be distributed for rewards.
  • The GLP JonesGlpRewardTracker contract's rewards are accrued in the form of WETH, and the Stable JonesGlpRewardTracker contract's rewards are accrued in the form of Stable tokens.
  • The Operator or Keeper can call the updateRewards() function to manually update the contract's rewards.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Operator Role from any address at any time.
  • The Governor can update the associated JonesGlpRewardDistributor and JonesGlpRewardsSwapper addresses at any time.
  • The Governor address can set the Incentive Receiver address, which receives rewards if no users are staked, to any address at any time.
JonesGlpRewardDistributor Contract:
  • This contract is used to distribute received WETH rewards earned from the GmxRewardRouter contract to various destinations.
  • Upon receiving rewards, the portions to be distributed to the IncentiveReceiver, Stable JonesGlpRewardTracker, and GLP JonesGlpRewardTracker contracts is calculated by the associated JonesGlpRewardsSplitter contract.
  • IncentiveReceiver rewards are immediately deposited to the IncentiveReceiver address; the JonesGlpRewardTracker rewards are stored in the contract until they are collected by the JonesGlpRewardTracker contracts.
  • The Governor can transfer the Governor Role to any address at any time.
  • The Governor can grant or revoke the Operator Role from any address at any time.
  • The Governor can update the associated Splitter contract at any time.
  • The Governor can update the IncentiveReceiver, StableTracker, and GlpTracker addresses at any time.
JonesGlpRewardsSplitter Contract:
  • This contract is used to calculate the distribution of rewards between the IncentiveReceiver, Stable JonesGlpRewardTracker, and GLP JonesGlpRewardTracker contracts.
  • The amount distributed to each Reward Tracker contract is determined by the platform's current leverage, utilization, and calculated reward amount for the IncentiveReceiver.
  • The IncentiveReceiver's reward amount is determined by the "Jones rewards percentage" of the remaining rewards after the GLP Reward Tracker's reward amount has been calculated.
  • The Governor can update the Jones rewards percentage to any value at any time.
JonesGlpRewardsSwapper Contract:
  • This contract is used by the Stable JonesGlpRewardTracker contract to swap WETH rewards for Stable tokens.
  • When swapped, WETH is transferred from the Tracker to this contract, swapped for Stable tokens, and returned to the Tracker contract.
  • A Chainlink Oracle is used to ensure that the expected number of tokens are received by the contract when a swap is made.
  • Only an Operator can initiate a swap.
  • The Governor can update the accepted slippage amount to any value between 0.1% and 2% at any time.
  • The Governor can grant or revoke the Operator role from any address at any time.
JonesGlpCompoundRewards Contract:
  • This contract is used to compound rewards earned from either GLP or Stable deposits to their respective Vaults.
  • Two instances of this contract are intended to exist: one for GLP compounding, and one for Stable compounding.
  • Only an Operator, intended to be the JonesGlpVaultRouter contract, can deposit and redeem.
  • When a deposit is made on behalf of a user, staking tokens are transferred to this contract and staked into the associated JonesGlpRewardTracker contract to earn rewards for this contract.
  • The user is then minted shares to represent their share of the total deposited staking tokens.
  • When a redemption is made for a user, their shares are burned, but they are not transferred their staking tokens.
  • Instead, the staking tokens are withdrawn from the JonesGlpRewardTracker contract and redeposited on behalf of the user.
  • When compounder shares are transferred, the sender and recipient's GlpJonesRewards staked balances are proportionally updated.
  • An Operator or Keeper can compound rewards at any time.
  • This uses the JonesGlpVaultRouter to claim all Stable rewards or WETH rewards, depending on if this contract is used as the Stable Compounder or the GLP Compounder.
  • If the contract is used for GLP compounding, a GLP fee is taken from the earned WETH rewards and deposited into the IncentiveReceiver address.
  • The remainder is staked into the GmxRewardRouter in exchange for GLP.
  • This GLP is then deposited through the JonesGlpVaultRouter contract, which will stake the resulting GLP Vault shares to increase this contract's total staked amount.
  • Stable rewards are simply deposited into the JonesGlpVaultRouter for the same effect.
  • Rewards are automatically compounded by the Vault Router contract before it makes a deposit or withdrawal from this contract.
  • The Governor can withdraw any GLP or Stable staked by this contract, or any other token, at any time. This contract does not have to submit a Stable token withdrawal request and can instead redeem instantly.
  • The Governor can update the staking token, JonesGlpVaultRouter, IncentiveReceiver, JonesGlpRewardTracker, and GmxRewardRouter at any time.
  • The Governor can grant or revoke the Keeper and Operator Roles from any address at any time.

Audit Results

Vulnerability Category Notes Result
Arbitrary Jump/Storage Write N/A PASS
Centralization of Control
  • The owner and mentioned Roles have the permissions described above.
  • The Governor can update the maximum percentage of the Stable Vault's value allowed for total GLP deposits to any amount at any time.
  • The Governor can update the Strategy's minimum, maximum, and target leverages at any time.
  • The Governor can withdraw the contract's GLP balance to any address at any time.
  • The Governor can transfer the contract's staked balances in the GmxRewardRouter to any address at any time.
  • The Governor can withdraw all of the Stable Vault's assets at any time.
  • The Governor can redeem and withdraw all GLP or Stable tokens from the Compounder contract at any time.
  • While the JonesGlpVaultRouter contract is emergency paused, users cannot redeem GLP shares, redeem Stable token shares, or submit Stable token withdrawal requests.
  • WARNING
    Compiler Issues N/A PASS
    Delegate Call to Untrusted Contract N/A PASS
    Dependence on Predictable Variables N/A PASS
    Ether/Token Theft N/A PASS
    Flash Loans N/A PASS
    Front Running
  • The team should reevaluate the frontrunning risk associated with swaps in the case that the centralized Arbitrum Sequencer is no longer in use.
  • PASS
    Improper Events N/A PASS
    Improper Authorization Scheme N/A PASS
    Integer Over/Underflow N/A PASS
    Logical Issues N/A PASS
    Oracle Issues N/A PASS
    Outdated Compiler Version N/A PASS
    Race Conditions N/A PASS
    Reentrancy N/A PASS
    Signature Issues N/A PASS
    Sybil Attack N/A PASS
    Unbounded Loops N/A PASS
    Unused Code N/A PASS
    Overall Contract Safety   PASS

    Contract Source Summary and Visualizations

    About SourceHat

    SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
    Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

    Contact us today to get a free quote for a smart contract audit of your project!

    What is a SourceHat Audit?

    Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

    How Do I Interpret the Findings?

    Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

    • High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
    • Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
    • Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
    • Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.