Summary
ChainSecurity performed a smart contract audit of POSDAO, with a main focus on the configuration for the xDAI POSDAO AuRa implementation.
The smart contracts reviewed implement the configurable logic for the operation of a POSDAO network. The actual configuration implemented corresponds to the settings for the xDAI POSDAO AuRa network. These smart contracts are used by the client software (currently OpenEthereum or Nethermind) to determine how to run the proof of stake network. Amongst others, this includes the logic to determine the set of active validators and the block rewards. The client software is configured accordingly through the genesis configuration of the chain and the core smart contracts expose standardized functions which the client queries. A staking contract deployed on chain allows participants to stake (either the native coin of the chain or tokens, depending on configuration) and to participate in the consensus.
See the report for more information on our findings.
About POA Network – OmniBridge
“POA Core is an autonomous network secured by a group of trusted validators. All validators on the network are United States notaries, and their information is publicly available. This distributed group of known validators allows the network to provide fast and inexpensive transactions.
POA organization also develops products and tools to improve interoperability, infrastructure and transparency throughout the ecosystem. These include BlockScout, an open-source explorer, TokenBridge, a multi-chain asset-transfer solution.”
ChainSecurity has a thoughtful and thorough approach to their auditing process, which is not always the case with security auditing firms. Communication was excellent throughout; their high level of scrutiny, attention to detail, and understanding of complexities helped improve our OmniBridge contracts.
Igor Barinov, POA Network
Summary
The suite of contracts implement a Dynamic Market Maker (DMM) based on UniswapV2. The main changes are the use of an amplification model for the pools inventory function and fees based on the recently traded volume.
Our main concerns are around the implementation of the amplification model. The paper Amplification Model describes the model in detail, however, only covers the cases when trades and contribution of liquidity are done in a balanced manner in regard to the pools tokens. The actual implementation, however, allows unbalanced contributions. Three issues raised in the report are connected to unbalanced contributions.
One medium severity security issue has been identified during the assessment. Additionally one medium severity correctness issue and one medium severity as well as several low severity design issues have been reported
About KyberSwap Classic
“Kyber Network is an on-chain liquidity protocol that aggregates liquidity from diverse sources for the best prices, enabling decentralized token swaps to be integrated into any application. Using this protocol, developers can build innovative payment flows and applications, including instant token swap services, decentralized payments, and financial DApps — helping to build a world where any token is usable anywhere.
Kyber is the most used and integrated protocol in decentralized finance (DeFi), with over US$1 billion worth of transactions facilitated since its inception. Kyber supports over 80 different tokens, and powers over 100 integrated projects including popular wallets Trust, Enjin, Argent, Eidoo, and the HTC Exodus smartphone, as well as DeFi platforms Nuo, DeFiSaver, InstaDApp, Set Protocol, Melon, and many others.”
(Source: Kyber Network media kit, April 2021)
With their thorough and high quality audits, ChainSecurity has been one of Kyber Network’s primary auditors for years now. We look forward to continuing our partnership with them for many more years to come as we keep growing the frontiers of blockchain.
Loi Luu, CEO of Kyber Network
Summary
The Maker protocol Liquidations 2.0 smart contracts have been audited by ChainSecurity.
Liquidations 2.0 for multi collateral DAI has been developed to mitigate uncovered shortcomings in the previous liquidation system. The most notable change from the previous version is the move from English to Dutch style auctions. The resulting single block composability allows anyone to participate in the liquidation without capital constraints by leveraging flash-loans. Contrary to the old system, partial liquidations no longer exists except under special circumstances. Keepers, responsible to initiate the liquidation of undercollateralized vaults have no first mover advantage anymore in the auction, hence a new incentive scheme has been introduced.
ChainSecurity uncovered 4 medium severity and 6 low severity findings, all of which have been addressed by Maker.
About MakerDAO
The Maker Foundation is tasked with bootstrapping MakerDAO to fuel growth and drive the organization toward complete decentralization. While the Foundation provided development support through the launch of Multi-Collateral Dai (MCD), it is currently spearheading efforts to decentralize development. MakerDAO governs the Maker Protocol by deciding on key parameters (ie. stability fees, collateral types and rates) through the voting power of MKR holders holders.
ChainSecurity went above and beyond our expectations when it came to the audit of our Liquidations 2.0 upgrade of the MakerDAO Protocol.
They were the perfect partner to support the biggest upgrade of the protocol since its launch.
Wouter Kampmann, Head of Engineering (Maker Foundation)
Summary
CoreLedger developed a universal system for fungible and non-fungible asset tokenization and trading. CoreLedger engaged ChainSecurity Ltd to perform multiple security audits of their Ethereum-based smart contract system. ChainSecurity Ltd audits consist of a thorough manual code review by leading experts to ensure the highest security standards. CoreLedger supported ChainSecurity Ltd professionally and provided documentation for the project.
During the audits, ChainSecurity Ltd was able to help CoreLedger in addressing several security, trust and design issues of different severity which were laid out and submitted to CoreLedger in a detailed audit report. ChainSecurity Ltd advised on ramifications of planned improvements to the contracts by CoreLedger.
All reported issues have been fixed, addressed or acknowledged by CoreLedger. In particular, all code related issues have been eliminated with appropriate fixes to the smart contracts.
ChainSecurity Ltd thanks CoreLedger for the opportunity and trust to audit their unique tokenization and trading system. Furthermore, we thank CoreLedger for the nice and professional support while performing the audit.
About Coreledger
CoreLedger provides a decentralized, modular, and extensible operating system for token economies, designed for all types of assets and services. The company’s core product is the TEOS Active Sandbox which enables companies to affordably and safely trial blockchain solutions for R&D purposes, or to rapidly develop a functioning proof-of-concept. It’s an industry first solution and is absolutely the easiest, cheapest way for businesses to get started using blockchain. The TEOS Active Sandbox also features CoreLedger’s full suite of white label products, so that companies can seamlessly scale up and capture market opportunities. CoreLedger was founded in 2017 by a group of Crypto Valley professionals, and has offices in Liechtenstein and Switzerland.
Summary
CHAINSECURITY audited the smart contracts which are going to be deployed on the public Ethereum chain. Audits of CHAINSECURITY use state-of-the-art tools for detection of generic vulnerabilities and checks of custom functional requirements. Additionally, a thorough manual code review by leading experts helps to ensure the highest security standards. During the audit, CHAINSECURITY was able to help REN in addressing several security, trust and design issues of high, medium and low severity. The employed coding practices and partial documentation increased the complexity of the audit.
All reported issues have been addressed by REN. CHAINSECURITY has no further concerns regarding the audited smart contracts.
About REN Smart Contracts
The smart contracts of REN are used for certain features of the REN system. Namely, darknode registration, payments, and cross-chain token swap.
Summary
CHAINSECURITY audited the smart contracts which are going to be deployed on the public Ethereum chain. Audits of CHAINSECURITY use state-of-the-art tools for detection of generic vulnerabilities and checks of custom functional requirements. Additionally, a thorough manual code review by leading experts helps to ensure the highest security standards. During the audit, CHAINSECURITY was able to help REN in addressing several security, trust and design issues of high, medium and low severity. The employed coding practices and partial documentation increased the complexity of the audit.
All reported issues have been addressed by REN. CHAINSECURITY has no further concerns regarding the audited smart contracts.
About Ren smart contracts
The smart contracts of REN are used for certain features of the REN system. Namely, darknode registration, payments, and cross-chain token swap.
.svg)
Summary
The Web3 Foundation engaged ChainSecurity Ltd to perform a security audit of Polkadot Claims, an Ethereum-based smart contract that will allow holders of the DOT allocation indicator token to claim their balances of DOTs to a Polkadot public key ahead of Polkadot’s genesis.
The state of the Claims contract will be used to initialize the genesis of Polkadot, including the Polkadot public key to associate to a specific allocation, the index of the public key, and the vesting status of the allocation. Due to the importance of this data, the security of the Claims contract was considered of utmost importance. To address this, ChainSecurity Ltd was tasked to formally verify the correctness of the contract’s code, especially with respect to critical requirements, such as ensuring immutability of the state of the contract after claims have taken place.
To guarantee that the Claims contract is secure and functionally correct, ChainSecurity Ltd formally verified the contract’s code. In more detail, the security audit consisted of:
1) Formalizing 12 critical functional requirements pertaining to the immutability of the state after the initialization, access-control requirements, and the safety of the contract set-up period;
2) Formally verifying the correctness of the Claims contract with respect to the formalized properties. Verification was carried out using VerX, ChainSecurity Ltd’s state-of-the-art verifier for smart contracts;
3) Analyzing the Claims contract for generic security vulnerabilities using Securify, ChainSecurity Ltd’s state-of-the-art security scanner;
4) A thorough manual audit of the Claims contract for compliance with best security practices.
During the audit, ChainSecurity Ltd found 0 critical, 0 high, 2 medium and 9 low severity issues. All reported issues have been addressed or acknowledged by the Web3 Foundation. In particular, all security and design issues have been resolved with appropriate code fixes. The audit report describes the fixes that were applied to each issue and the reasoning of the Web3 Foundation behind them.
About Polkadot Claims
The Web3 Foundation was created to nurture and steward technologies and applications in the fields of decentralised web software protocols, particularly those which utilize modern cryptographic methods to safeguard decentralisation, to the benefit and for the stability of the Web3 ecosystem. Learn more about the Web3 Foundation at https://web3.foundation/.
The first project of the Web3 Foundation is Polkadot. Polkadot is a protocol that allows independant blockchains to exchange information under the protection of shared security. To learn more about the project go to https://polkadot.network/.
When we were evaluating auditors for the Polkadot Claims Contract, the team at ChainSecurity Ltd impressed us with their track record of successful audits and their tooling for verifying properties of smart contracts. For the audit, they were able to functionally verify twelve properties of our smart contract to ensure the immutability of critical state that is needed to bootstrap Polkadot genesis. They helped to identify design, trust, and security concerns in the contract and we were able to work together to resolve each of these. If we have further opportunities for our security needs, we would consider engaging ChainSecurity Ltd again.
Logan Saether, Web3 Foundation
Summary
STOKR is an online, peer-to-peer interface based on smart contracts on the Ethereum blockchain. STOKR enables ventures to create projects and investors to invest into these projects. For this purpose STOKR implemented a system which has built-in features to support investors and ventures.
Each project launched on STOKR’s platform has a crowdsale contract to manage the sale of a dedicated security token with profit sharing and a global whitelist. Thus, only whitelisted investors can invest. The profit sharing schemes distributes all deposited profits among the token holders according to their token balance at the time of deposit. A user’s profit share is tracked automatically and can be withdrawn at any time using the corresponding function. The crowdsale has multiple configurable parameters such as an individual purchase cap or start and end times. In case a crowdsale, doesn’t reach its defined investment goal, then all investor can obtain a refund. In case of a successful crowdsale, investors can withdraw their tokens after the completion of the crowdsale.
ChainSecurity Ltd analyzed STOKR’s smart contracts using a variety of tools for automated security analysis of Ethereum smart contracts, including Securify and manual expert review.
Overall, ChainSecurity Ltd found that STOKR has a well written code and extensive tests with 100% code coverage. ChainSecurity Ltd did not find major flaws. Nonetheless, ChainSecurity Ltd raised some minor issues and suggestions. These issues were all acknowledged or duly fixed in a professional manner.
About STOKR
STOKR is an accessible and easy to use peer-to-peer interface that allows innovative ventures to raise funds from everyday investors in order to finance forward-thinking ideas, powered by the Ethereum blockchain.
STOKR will provide a web-based interface that will allow ventures to present their businesses in a transparent and compelling way for any potential investor. Through an EU-compliant tokenisation of securities (also known as STOs), everyday investors can directly fund innovative start-ups and SMEs in return for a share of the venture’s future profits.
Learn more about the STOKR project at https://stokr.io/.
Summary
iExec provides a fully decentralized solution where providers of applications, datasets, and computational power can meet users. Due to its decentralized nature and the use of smart contracts, there is no need to rely on any one single agent. The new version of iExec introduces Proof-of-Contribution (PoCo). Honest contributions are ensured by staking, because bad actors will lose their stake. User interaction happens through the iExec market front-end. Users buy computational resources with specific apps and, if needed, datasets, while worker pool owners sell computational power. Payment and staking are carried out with RLC tokens. The user creating an order can set the confidence level desired; this corresponds to a minimum correctness likelihood that the result achieves.
The audit of iExec v3 smart contracts focused on verifying a set of invariants, both provided by iExec and augmented by ChainSecurity Ltd. The audit did not include a manual code review beyond the specified invariants, and therefore it is possible that unintended behavior not covered by the invariants is present in the contracts. Overall, ChainSecurity Ltd found that iExec employs good coding practices and has a clean, well-documented code. ChainSecurity Ltd raised minor security and design issues, all of which have been fixed in the latest code commit.
About iExec v3
iExec is a decentralized marketplace for computing resources. It allows individuals and enterprises to monetize their applications and datasets, and to trade computing power.
iExec is an open market. Cloud providers and requesters transact directly in a peer-to-peer network, free of any central authority. The company develops the technology and protocols that organize the exchanges between stakeholders, with the maximum level of trust, security and flexibility. To do so, iExec leverages blockchain technology, distributed computing and trusted execution environments (TEE). Payments between stakeholders are made in RLC, iExec’s cryptocurrency.
Learn more at iex.ec.
ChainSecurity Ltd provided an expert analysis and audit on each of the iExec V3 smart contracts (mainly the iexecHub and iexecClerk contracts). After an extensive review of thousands of lines of code, ChainSecurity Ltd produced a detailed report which is public and open for everyone to read. The iExec team would like to thank ChainSecurity Ltd for such a rigorous and detailed report!
%201%20(1)%201.svg)
Summary
The Melon Protocol smart contracts have been audited manually by security experts and using automated security tools for Ethereum smart contracts. The initial audit involved 4 auditors over a period of 2 weeks from 28 January to 11 February, followed by reviewing code updates delivered between 12 February and 22 February. On request of Melonport ChainSecurity Ltd reported critical and high severity issues on an ongoing basis during the audit to facilitate quick remediation.
During the audit process and the code update review process the following issues have been reported:
- Security: two critical, three high, five medium, and nine low severity issues
- Trust: six medium severity issues
- Design: three medium and six low severity isues
Out of these, all critical and high severity issues have been fixed. Most medium and low severity issues have been fixed or addressed.
The project is complex, each fund consists of several contracts which interact with external exchanges and tokens. Security audits of such systems cannot guarantee absence of errors.
About Melon Protocol
Melonport is the private company building the open-source Melon Protocol. The Melon protocol is a blockchain protocol for digital asset management built on the Ethereum platform. It enables participants to set up, manage and invest in digital asset management strategies in an open, competitive and decentralised manner.
Learn more bout Melonport at melonport.com
.svg)
Summary
TenX introduces a security token. The token implements the ERC-20 and ERC-1400 (ERC-1644 and ERC-1594) specifications. It grants the right to receive Y% (Y = amount TENX tokens owned by an account / total amount of TENX tokens) of the PAY tokens which are deposited in the rewards contract by TenX. An eligible user can withdraw his share of PAY token from the reward contract. A user is eligible if he passed KYC and held TENX token when the deposit was made.
The new token standard (ERC–1400) which TenX uses is currently in development and thereby subject to changes. Therefore, ChainSecurity Ltd recommends TenX to track the latest developments related to this standard.
The TenX smart contracts have been analyzed with state-of-the-art tools for verification of generic vulnerabilities and custom functional requirements. During this process, ChainSecurity Ltd found several issues of different severity (see report for full details). All reported issues were then dully acknowledged and addressed by TenX.
About TenX
TenX is a Singapore-based blockchain company that makes cryptocurrencies spendable on-the-go. The TenX payment system includes the TenX Wallet that can be funded with different cryptocurrencies (available on iOS and Android) and the TenX Card, which can be used in almost 200 countries.
Find out more at tenx.tech.
Summary
During the investigation ChainSecurity Ltd noted that the project is of high quality, employs good coding practices and has clean code. Despite the system’s complexity the DAO maintain a clear overall structure thanks to the high degree of modularity and low coupling between components.
The system’s specifications were verified against a set of general and adversarial assumptions and an attacker model. As a result ChainSecurity Ltd was able to uncover several security vulnerabilities of varying severity as well as propose design optimizations and improvements. Most notably, a missing verification check would allow beneficiaries to redeem their reputation multiple times.
Finally, ChainSecurity Ltd remarks that all vulnerabilities and issues were professionally and swiftly addressed by the DAOstack team leading to a more resilient, efficient and secure system.
About DAOstack v2
DAOstack powers decentralized companies, funds and markets to make fast and innovative decisions at scale. It’s a platform for decentralized governance that enables collectives to self-organize around shared goals or values, easily and efficiently. DAOstack is sometimes called an operating system for collective intelligence, or a Wordpress for DAOs.
Find out more about DAOStack at daostack.io
.svg)
Summary
The DAO voting system itself turned out to be well implemented and of high quality, in its functionality mostly following the previously published Governance whitepaper. A high degree of modularity was achieved in the code base introducing a clear overall structure.
Nonetheless, ChainSecurity Ltd managed to uncover several vulnerabilities and propose design improvements. Most notably, an unfortunately still common misuse of the EXTCODESIZE was originally present: Namely, using this opcode to detect that the message sender or transaction initiator is not a contract account, but an externally owned account. Given that such checks can be easily circumvented, this restriction cannot be relied upon to enforce proper access control even though there may be benign use cases. For more information of this,we are glad to point to the Smart Contract Best Practices to which ChainSecurity Ltd contributed for this issue.
As for the roles present in the DAO system, these distinguish mainly between the Digix administrative roles, initiators of proposals which are to be voted on by other users and finally the voters themselves. An overview of the roles and their conditional rights is provided in the
introductory section of the audit report.
Finally, ChainSecurity Ltd remarks that all vulnerabilities and issues were professionally and swiftly addressed by the Digix team and we are now curiously following further development and adoption of the project.
About Digix
Digix is one of the world’s first Smart Asset companies and aims to be the leading brand in tokenizing the world’s tangible assets.
Learn more about Digix Dao at https://digix.global/dgd/
We are extremely pleased with our choice. All the security auditors were great to work with and their services were professionally conducted. I would recommend ChainSecurity Ltd to anyone looking for top notch secure solutions for blockchains and smart contracts.
Shaun Djie, COO
.svg)
Summary
Switcheo is creating a decentralized exchange (DEX) where users can trade Ether and any ERC20 tokens. Before being able to trade on the exchange, users have to deposit their ETH and/or ERC20 tokens to the Switcheo platform. To initiate transactions, users have to first sign the trade data off-chain. This signed data is then sent to Switcheo, which initiates transactions on the DEX on users’ behalf.
ChainSecurity Ltd analyzed the Switcheo smart contracts under different aspects, with a variety of tools for automated security analysis of Ethereum smart contracts, including Securify, and manual expert review. Overall, we found that Switcheo employs good coding practices and has a clean code base. Nonetheless, ChainSecurity Ltd was able to uncover several security, design, and trust issues that were successfully mitigated or addressed by Switcheo before deployment.
About Switcheo
Switcheo Network is the first decentralized exchange on the NEO blockchain which now allows trading of Ethereum and NEO tokens. Switcheo’s goal is to achieve a DEX network with cross-chain swapping capabilities across popular blockchains, with a focus on delivering a world-class trading experience in a trustless and decentralized environment.
Find out more about the project at https://switcheo.network/.
Summary
When contracted by STACK, ChainSecurity Ltd conducted an extensive review of STACK’s multi-token smart contracts with the help of several (internal and external) tools. Throughout this process, multiple issues including two critical security issues were uncovered. All of the security issues were promptly addressed by STACK and pose no further security threat.Furthermore, in cooperation with ChainSecurity Ltd, STACK made additional optimizations to the contracts’ design and their trust model resulting in a more efficient and more trustworthy set of smart contracts.
About STK
STACK is a new personal finance platform, built on the idea that using your money should be free. Universally accessible, STACK is an alternative to traditional banking that allows you to store your money safely, access it instantly and transact with it anywhere, in any currency including crypto, right from your smartphone. The STK Token will provide instant cryptocurrency payments at point of sale, enabling seamless integration of cryptocurrency into everyday transactions and financial services in the STACK wallet. The STK token will be implemented on the public Ethereum blockchain as an ERC20 token.
Find out more about STACK at stktoken.com.
Summary
Republic Protocol is a decentralized open-source dark pool protocol facilitating atomic swaps between cryptocurrency pairs across the Bitcoin and Ethereum blockchains. Trades are placed on a hidden order book and are matched through an engine built on a multi-party computation protocol. While the order matching engine is placed off-chain, trade orders themselves are first encrypted and committed on-chain and then later revealed after matching. This ensures that once the information becomes public the trade already happened and allows to monitor matching nodes for malicious activity and retrospectively challenge their bond when they were misbehaving.
Our audit investigated the Republic Protocol itself, which allows for custom settlement solutions to be used by future participating brokers, as well as the reference implementation of a full Dark pool by the team called RenEx. During the investigation ChainSecurity Ltd noted that the project is of high quality, employs good coding practices and has clean, well-documented code which is impressive considering the complexity of the project.
While the audit was scoped, a specification covering core parts of the system was derived by both teams and verified under a set of general and adversarial assumptions and an attacker model. All of the previous is clearly defined in the whitepaper and audit report. ChainSecurity Ltd was able to propose several design optimizations and improvements, but more so uncover several vulnerabilities of varying severity. These were swiftly reviewed and addressed by the Republic Protocol team, leading to a more resilient, efficient and secure system.
We are excited to follow the further development of the Republic Protocol and the adoption of their trading pools.
About Republic Protocol
Republic Protocol is a dark pool platform designed for trading large volumes of cryptocurrencies.
Ren is powered by a decentralized network of Darknodes that use secure multiparty computation to run privacy preserving applications. Using it, they are building hidden order books and privacy preserving settlement layers.
Dark pools built on Ren are the first in the history of financial markets that are mathematically provable to be fair.
Find out more here: https://renproject.io/
.png)
.svg)
Summary
WBTC is an ERC20 token that represents Bitcoin as an (extended) ERC20 token on the Ethereum blockchain, where 1 BTC equals 1 WBTC token. The involved entities are at least one custodian (the current setup is tailored to exactly one) and multiple merchants. The whole system has in general two main tasks:
- Minting WBTC:
If a matching amount of BTC is locked at a custodian’s account (on the Bitcoin blockchain), the corresponding amount of WBTC tokens is minted (released) to the merchant (on the Ethereum blockchain). - Burning WBTC:
When a merchant wants to convert his WBTC tokens back into BTC, he places a burn request (the specified amount of WBTC tokens are burned). If successful, the custodian sends the merchant the requested amount of BTC (on the Bitcoin blockchain).
To accomplish a Bitcoin-to-WBTC swap and back, a merchant sends BTC to a custodian. The custodian confirms that this merchant has deposited a certain amount of BTC on the Bitcoin blockchain. A matching amount of WBTC is then minted by a custodian and can be used by the merchant. Accordingly, if a merchant wants to swap back the WBTC to BTC, the merchant files a request to burn the WBTC. The custodian transfers the BTC back to the merchant, if the burning of the WBTC was successful.
Overall, the smart contracts request and record the transaction details on the Ethereum blockchain. Actual transactions of BTC are happening on the Bitcoin blockchain. Other tasks include managing (adding/removing) merchants and custodians.
Our audit investigated the code implementation issues arising from the management of merchants and custodians, as well as from the minting, transferring, and burning of the WBTC token on the Ethereum blockchain.
Overall, the ChainSecurity Ltd team found that Wrapped Bitcoin is a very well-coded smart contract with clean documentation. During the audit, we detected two security issues concerning (1) the pausing of the minting/burning process (2) and a possible hash collision. The hash collision was possible due to using abi.encodePacked() instead of abi.encode(). Chainsecurity also highlighted relevant trust assumptions arising from the overall system setup. WBTC addressed, acknowledged or fixed the raised issues. Therefore, ChainSecurity Ltd sees no remaining security issues in the current version.
About Wrapped Bitcoin (WBTC)
WBTC (Wrapped Bitcoin) will launch as a fully backed Bitcoin ERC20 token on Ethereum in January 2019. The initiative will bridge Bitcoin liquidity and the decentralized ecosystem on Ethereum, enhancing all decentralized applications. WBTC will allow the Ethereum network to be leveraged to enable new applications and use cases for Bitcoin.
WBTC is a community focused initiative and is the culmination of a long-standing joint effort relationship between BitGo, Kyber Network, and Republic Protocol. Prominent decentralized exchanges and financial projects, including MakerDAO, Dharma, Airswap, IDEX, Compound, DDEX, Hydro Protocol, Set Protocol, Prycto, RadarRelay, Blockfolio and Gnosis have all committed to support the adoption of WBTC and will participate as launch members.
For more information please visit www.wbtc.network
Summary
The stablecoin is collateralized 1:1 by the US Dollar and its implementation is realized as a ownable ERC20 token. Paxos Standard 18-decimal PAX is designed to be upgradeable, using the ZeppelinOS Upgradeability with unstructured storage library for this purpose.
ChainSecurity Ltd analyzed the Paxos Standard smart contracts under different aspects, with a variety of tools for automated security analysis of Ethereum smart contracts including Securify and manual expert review.
Overall, the ChainSecurity Ltds auditors found that Paxos employs good coding practices and has clean, well-documented code, which is well covered by a corresponding test suite. Nonetheless, ChainSecurity Ltd was able to uncover several minor issues and vulnerabilities related to the Security and Design of the system which Paxos successfully addressed and resolved before launch. The successful collaboration between the Paxos and ChainSecurity Ltds teams improved the overall security and reliability of the Paxos standard.
About Paxos
Paxos is building a future where all assets — from money to commodities to securities — will be digitized and can move instantaneously, 24/7. Settlement risk will cease to exist, so trillions of dollars of trapped capital can go to work in a global, frictionless economy. Today, as the first regulated Trust company with blockchain expertise, Paxos is uniquely positioned to mobilize and custody assets digitally. Visit www.paxos.com for more information on Paxos and its institutional-grade products like Paxos Standard token and Paxos Confirmation Service for precious metals.
Summary
POA Network is building a Proof of Authority sidechain to Ethereum to facilitate secure, fast, and cheap transactions while being fully compatible with the existing Ethereum ecosystem. A cross-chain bridge allows easy transfer of tokens from a POA Network chain onto the main Ethereum chain and vice-versa. The POA Network system consists of many connected open-source components. Smart contracts form the core and give strong guarantees, dApps and APIs allow for easy access and a custom parity client is running an efficient Proof of Authority based version of Ethereum using the Aura consensus. The audit focused on the core part, the smart contracts deployed on POA Network.
Our audit investigated technical issues such as the initialization of keys and their distribution, the requirements of the validator set, and the upgradability of the smart contracts. We also looked into the reward system and the overall governance to check their soundness and design.
Overall, the ChainSecurity Ltd team found that POA Network is a very well-coded complex system with clean documentation. During the audit, several issues have been found by ChainSecurity Ltd and successfully addressed by POA Network. ChainSecurity Ltd sees no remaining security issues in the current version.
About POA
POA Network is an Ethereum-based platform that offers an open-source framework for smart contracts. Towards the end of 2017, POA Network launched its own blockchain utilizing a new and unique consensus mechanism known as Proof of Authority (POA). POA leverages an independent group of validators who are all licensed public notaries around the United States which increases security while enabling a method of governance on the blockchain. POA Network is scalable, secure and cheaper than other projects, aiming to provide a platform for small and medium sized organizations.
For more information please visit https://poa.network/
Summary
Kyber is building The Decentralized Liquidity Network that powers instant and seamless inter-token transactions between platforms, ecosystems, and other use cases. By allowing open contribution of liquidity from token holders and easy integration from DApps and projects to leverage the contributed liquidity pool, Kyber enables a more connected tokenized world where tokens are liquid and useful.
These interesting properties of Kyber’s platform make the smart contract security non-trivial. Kyber has a detailed trust model that combines upgradability and trustworthiness, an achievement that is rarely seen. In particular, users are protected by the proxy contract from misbehaving administrators or exchanges. This is because the proxy contract enforces a minimal conversion rate while still allowing upgrades to the underlying business logic.
Overall, the ChainSecurity Ltds team found that Kyber’s platform is well-designed. Moreover, the implementation of the smart contracts is clean, follows best practices and guidelines, and comes with an extensive test suite. During the security audit, the ChainSecurity Ltds team made several minor recommendations, which have been addressed by the Kyber team and so we see no remaining security issues.
About
Kyber is a decentralised exchange which provides a seamless user experience with high security. Kyber guarantees liquidity, allowing users to convert or transfer tokens instantly. Users can trade directly from their wallet, without having to register or deposit beforehand.
Learn more about Kyber at kyber.network.
Summary
The iExec smart contracts constituting the Proof-of-Contribution protocol have been analyzed under the agreed upon specification, with different tools for automated security analysis of Ethereum smart contracts and manual review. The issues listed in this report result from ChainSecurity Ltd’s verification of this specification and should not be considered exhaustive.
While we found that iExec employs good coding practices and has clean, well-documented code, the current Proof-of-Contribution implementation has a model that places trust in external contracts and key roles, introducing several issues.
For details please see the full technical report.
About iExec
iExec is inventing the internet of the future by developing the first Blockchain-based, fully decentralized cloud computing platform. iExec aims to provide blockchain-based distributed applications a scalable, secure and easy access to the computing resources required for their execution. It uses the blockchain to organize a market network where everyone can monetize their servers, applications, and data-sets.
Summary
ChainSecurity Ltd. has analyzed Zilliqa’s smart contract and has found no major technical vulnerabilities or shortcomings. The ZIL smart contract contains the necessary token functionality. Zilliqa has additionally addressed the minor shortcomings that were uncovered during the report and has even implemented some of the recommendations.
About Zilliqa
Zilliqa is a new public blockchain platform for high-throughput applications. It brings the theory of sharding to practice with its novel protocol that increases transaction rates as its network expands. The latest experimental results demonstrate a throughput of more than 2,400 transactions per second, which is over 200 times higher than that of today’s popular blockchains. The platform is tailored towards enabling high-throughput data-driven decentralized apps, designed to meet the scaling requirements of applications in areas such as digital marketing, payment, shared economy and rights management. Zilliqa has been under research and development for two years, with several commercial applications in different sectors.
.svg)
Summary
Augur is a decentralized prediction market that runs on top of the Ethereum blockchain. The Augur platform estimates the probability of future events based on votes casted by users, thereby leveraging the wisdom of the crowd principle. Users are rewarded whenever they make correct predictions
The scope of the security audit conducted by ChainSecurity Ltd. was restricted to scanning of the contracts for generic security issues using automated systems and manually inspecting the results, followed by 32 hours of manual audit of the contracts for security issues.
About Augur
Augur is a decentralized prediction market that runs on top of the Ethereum blockchain.
Summary
ChainSecurity Ltd. has audited the HelloGold Tokens (HGT) contracts. As part of the audit, ChainSecurity Ltd. identified several issues. The HelloGold team has been fast and professional, they were able to fix most of the issues quickly through code changes. Some of the issues, which are harder to address on a technical level, will be addressed through other means. Overall ChainSecurity Ltd. is not aware of any remaining issues in the HGF contracts.
About HelloGold Foundation
HelloGold is a startup that creates simple and accessible gold products for everyone. Founded in 2015 and headquartered in Kuala Lumpur, Malaysia, HelloGold built the world’s first Shariah-compliant gold digital application that changes the way people buy and sell gold. The company’s platform features state-of-the-art online security and is supported by fully audited processes to guarantee proper ownership of the physical gold. HelloGold’s team of seasoned professionals have come together from the gold industry, financial services, technology and digital user experience, all with the aim of making gold available to everyone in Asia.
We were attracted by the fact that they span out from the security lab at ETH Zurich (Switzerland's answer to MIT). We kept coming back and continue referring them to others for their professionalism and commitment.
Dave Appleton, Blockchain Lead