Introduction
We express our gratitude to the Neemo Finance team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Neemo Finance is a non-custodial liquid staking protocol for Astar Network. It allows users to liquid stake their ASTR with Neemo Finance to support dApp staking. All while exercising complete control over their deposited ASTR.
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Neemo Finance
- Audited By
- Andy Cho
- Approved By
- Przemyslaw Swiatowiec
- Website
- https://neemo.finance→
- Changelog
- 30/08/2024 - Preliminary Report
- 04/09/2024 - Final Report
- Platform
- Astar
- Language
- Solidity
- Tags
- Staking
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope
- Commit
- 15e67df
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are provided.
Technical description is provided.
Code quality
The code is clearly written.
The code follows best practices and official language by style guide.
The development environment is configured.
Test coverage
Code coverage of the project is 87.01% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases coverage is missed.
System Overview
Neemo Finance is a non-custodial liquid staking protocol for Astar Network. It allows users to liquid stake their ASTR with Neemo Finance to support dApp staking. All while exercising complete control over their deposited ASTR.
AcessController — contract for managing access control roles and permissions.
DappStakingManager — contract for handling core functionalities of the Neemo dAppStaking.
DepositWrapper — contract for handling wrapped astar deposits.
PauseController — contract for controlling pause and unpause actions based on access control roles.
Timelock — implementation of OpenZeppelin's TimelockController for Neemo.
Privileged roles
NEEMO_DEV_ROLE: Role identifier for Neemo developers.
TIMELOCK_ROLE: Role identifier for timelock contract.
PAUSER_ROLE: Role identifier for pausers.
UNPAUSER_ROLE: Role identifier for unpausers.
GOVERNANCE_ROLE: Role identifier for governance entities.
Risks
Flexibility and Risk of Contract Upgrades: The token contract is upgradeable, allowing the admin to update the contract logic at any time. While this provides flexibility for addressing issues and evolving the project, it also introduces risks if upgrade processes are not properly managed or secured, potentially allowing for unauthorized changes that could compromise the project's integrity and security. This risk is mitigated by the team's use of a timelock with a 1-day delay.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2024-5604 | Unused Import | Fixed | Observation | |
F-2024-5603 | State Variables That Should Be Immutable | Fixed | Observation | |
F-2024-5602 | Redundant Storage Reads Leading to Gas Overhead | Fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Commit
- 15e67dfb1d73299c0d07157d498c0941182717a3
- Whitepaper
- https://docs.neemo.finance→
- Technical Requirements
- README.md
Contracts in Scope
src/AccessController.solsrc/DappStakingManager.solsrc/DepositWrapper.solsrc/PauseController.solsrc/Timelock.solsrc/libraries/Configs.solsrc/libraries/PauseActions.solsrc/libraries/Roles.sol