Introduction
We express our gratitude to the Right to Privacy team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
RAILGUN is a privacy system built directly on-chain for Ethereum, BSC, Polygon, and Arbitrum that uses Zero-Knowledge (ZK) cryptography to enable private use of smart contracts and DeFi, all without leaving the security of the user’s preferred chain.
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Right to Privacy
- Audited By
- Hacken
- Approved By
- Hacken
- Website
- righttoprivacy.foundation
- Changelog
- 02/11/2021 - Final Report
- Platform
- Ethereum, Arbitrum, BSC, Polygon
- Language
- Solidity
- Type
- Privacy System Platform
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope
- Commit
- d2c63577ddd8310c87dced0d549cf9505b372111
Audit Summary
According to the assessment, the Customer's smart contracts are secured but some functions could run out of gas.
System Overview
Executive Summary
Our team performed an analysis of code functionality, manual audit, and automated checks with Mythril and Slither. All issues found during automated analysis were manually reviewed, and important vulnerabilities are presented in the Audit overview section. All found issues can be found in the Audit overview section. As a result of the audit, security engineers found 2 medium and 2 low severity issues.
Graph 1. The distribution of vulnerabilities after the audit.
Conclusion
Smart contracts within the scope were manually reviewed and analyzed with static analysis tools. The audit report contains all found security vulnerabilities and other issues in the reviewed code. As a result of the audit, security engineers found 2 medium and 2 low severity issues.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2021-012 | Too low test coverage | Fixed | Medium | |
F-2021-0121 | Test Unit Failed | Fixed | Medium | |
F-2021-0124 | A public function that could be declared external | Fixed | Low | |
F-2021-0123 | Missing zero address validation | Fixed | Low |
Appendix 1. Definitions
Severities
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Commit
- d2c63577ddd8310c87dced0d549cf9505b372111
- Technical Requirements
- Not Provided
Assets in Scope
governance/Delegator.solgovernance/Deployer.solgovernance/Staking.solgovernance/Voting.sollogic/Commitments.sollogic/Globals.sollogic/Poseidon.sollogic/RailgunLogic.sollogic/Snark.sollogic/TokenWhitelist.sollogic/Verifier.solproxy/Proxy.solproxy/ProxyAdmin.solteststubs/governance/Getter.solteststubs/governance/GovernanceTarget.solteststubs/governance/StakingStub.sol