

POA Network is building a Proof of Authority sidechain to Ethereum to facilitate secure, fast, and cheap transactions while being fully compatible with the existing Ethereum ecosystem. A cross-chain bridge allows easy transfer of tokens from a POA Network chain onto the main Ethereum chain and vice-versa. The POA Network system consists of many connected open-source components. Smart contracts form the core and give strong guarantees, dApps and APIs allow for easy access and a custom parity client is running an efficient Proof of Authority based version of Ethereum using the Aura consensus. The audit focused on the core part, the smart contracts deployed on POA Network.
Our audit investigated technical issues such as the initialization of keys and their distribution, the requirements of the validator set, and the upgradability of the smart contracts. We also looked into the reward system and the overall governance to check their soundness and design.
Overall, the ChainSecurity Ltd team found that POA Network is a very well-coded complex system with clean documentation. During the audit, several issues have been found by ChainSecurity Ltd and successfully addressed by POA Network. ChainSecurity Ltd sees no remaining security issues in the current version.
POA Network is an Ethereum-based platform that offers an open-source framework for smart contracts. Towards the end of 2017, POA Network launched its own blockchain utilizing a new and unique consensus mechanism known as Proof of Authority (POA). POA leverages an independent group of validators who are all licensed public notaries around the United States which increases security while enabling a method of governance on the blockchain. POA Network is scalable, secure and cheaper than other projects, aiming to provide a platform for small and medium sized organizations.
For more information please visit https://poa.network/

Kyber is building The Decentralized Liquidity Network that powers instant and seamless inter-token transactions between platforms, ecosystems, and other use cases. By allowing open contribution of liquidity from token holders and easy integration from DApps and projects to leverage the contributed liquidity pool, Kyber enables a more connected tokenized world where tokens are liquid and useful.
These interesting properties of Kyber’s platform make the smart contract security non-trivial. Kyber has a detailed trust model that combines upgradability and trustworthiness, an achievement that is rarely seen. In particular, users are protected by the proxy contract from misbehaving administrators or exchanges. This is because the proxy contract enforces a minimal conversion rate while still allowing upgrades to the underlying business logic.
Overall, the ChainSecurity Ltds team found that Kyber’s platform is well-designed. Moreover, the implementation of the smart contracts is clean, follows best practices and guidelines, and comes with an extensive test suite. During the security audit, the ChainSecurity Ltds team made several minor recommendations, which have been addressed by the Kyber team and so we see no remaining security issues.
Kyber is a decentralised exchange which provides a seamless user experience with high security. Kyber guarantees liquidity, allowing users to convert or transfer tokens instantly. Users can trade directly from their wallet, without having to register or deposit beforehand.
Learn more about Kyber at kyber.network.

The iExec smart contracts constituting the Proof-of-Contribution protocol have been analyzed under the agreed upon specification, with different tools for automated security analysis of Ethereum smart contracts and manual review. The issues listed in this report result from ChainSecurity Ltd’s verification of this specification and should not be considered exhaustive.
While we found that iExec employs good coding practices and has clean, well-documented code, the current Proof-of-Contribution implementation has a model that places trust in external contracts and key roles, introducing several issues.
For details please see the full technical report.
iExec is inventing the internet of the future by developing the first Blockchain-based, fully decentralized cloud computing platform. iExec aims to provide blockchain-based distributed applications a scalable, secure and easy access to the computing resources required for their execution. It uses the blockchain to organize a market network where everyone can monetize their servers, applications, and data-sets.

ChainSecurity Ltd. has analyzed Zilliqa’s smart contract and has found no major technical vulnerabilities or shortcomings. The ZIL smart contract contains the necessary token functionality. Zilliqa has additionally addressed the minor shortcomings that were uncovered during the report and has even implemented some of the recommendations.
Zilliqa is a new public blockchain platform for high-throughput applications. It brings the theory of sharding to practice with its novel protocol that increases transaction rates as its network expands. The latest experimental results demonstrate a throughput of more than 2,400 transactions per second, which is over 200 times higher than that of today’s popular blockchains. The platform is tailored towards enabling high-throughput data-driven decentralized apps, designed to meet the scaling requirements of applications in areas such as digital marketing, payment, shared economy and rights management. Zilliqa has been under research and development for two years, with several commercial applications in different sectors.
Augur is a decentralized prediction market that runs on top of the Ethereum blockchain. The Augur platform estimates the probability of future events based on votes casted by users, thereby leveraging the wisdom of the crowd principle. Users are rewarded whenever they make correct predictions
The scope of the security audit conducted by ChainSecurity Ltd. was restricted to scanning of the contracts for generic security issues using automated systems and manually inspecting the results, followed by 32 hours of manual audit of the contracts for security issues.
Augur is a decentralized prediction market that runs on top of the Ethereum blockchain.
.png)

In the following we describe the V Token (VEE) and its corresponding token sale. Table 1 gives the general overview.
The VEEs are allocated in two phases. The TGE starts with a contribution phase during which contributors invest ETH. The contribution phase is split into pre-sale and main sale. Each of these sales is capped at USD 20M. The cap itself is not automatically enforced within the smart contracts. After the contribution phase, the TGE continues with a token allocation phase during which the price of tokens is determined and each contributor is allocated with tokens based on their contribution.
BlockV provides a platform for creating smart digital objects (vAtoms) on blockchains and distributing them among users.

ChainSecurity Ltd. has audited the HelloGold Tokens (HGT) contracts. As part of the audit, ChainSecurity Ltd. identified several issues. The HelloGold team has been fast and professional, they were able to fix most of the issues quickly through code changes. Some of the issues, which are harder to address on a technical level, will be addressed through other means. Overall ChainSecurity Ltd. is not aware of any remaining issues in the HGF contracts.
HelloGold is a startup that creates simple and accessible gold products for everyone. Founded in 2015 and headquartered in Kuala Lumpur, Malaysia, HelloGold built the world’s first Shariah-compliant gold digital application that changes the way people buy and sell gold. The company’s platform features state-of-the-art online security and is supported by fully audited processes to guarantee proper ownership of the physical gold. HelloGold’s team of seasoned professionals have come together from the gold industry, financial services, technology and digital user experience, all with the aim of making gold available to everyone in Asia.

The most critical subjects covered in our audit are escalation of privileges, functional correctness, and trustworthiness. Security regarding escalation of privileges is good.
In a previous iteration, the issues Manager Can Steal Bridged Assets via Deliberate Non-Fill and No Rate Limit on Operator Enables Repeated Slippage Loss were identified; both have been addressed in the latest version. Security regarding functional correctness is good after issues such as Queued Safe Transaction Can Invalidate Accounting Snapshot and Incoming Token Transfers Corrupt Slippage Check have been addressed.
To resolve the latter, Makina changed the specification to ban management instructions that can yield execution control to an attacker, who could exploit it to mask a loss, see Restrictions on Whitelisted Management Instructions. This places considerable responsibility on the user, who must carefully review all management instructions before whitelisting them. Security regarding trustworthiness is good: the trust model is layered and well-defined, with the Safe retaining ultimate control and neither the Provider nor infrastructure roles able to move funds out of the Safe. The general subjects covered are specification and code complexity. Security regarding both is high.
In summary, we find that the codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
Makina provides Makina Lite, a Gnosis Safe module through which authorized operators manage DeFi positions, harvest rewards, swap tokens, and bridge tokens to other chains on behalf of a user who stores their assets in the Safe. The user has to whitelist all operations that can be performed.
Makina Lite operates in one of three modes: operators are fully trusted in OPEN mode, while FENCED and WALLED add increasing protection against a malicious or compromised operator through slippage limits and cooldowns.