Introduction
We express our gratitude to the Marsha+ Foundation team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Marsha+ Foundation
- Audited By
- Approved By
- Yves Toiser
- Changelog
- 03/11/2023 - Preliminary Report --16/11/2023 - Final Report –- This report has been reissued on 05/06/2024 because of a change of repository
- Platform
- EVM
- Language
- Solidity
- Tags
- ERC20
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope
- Commit
- 0f3ad58f036ed761f78ba8670dd0725561352443
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are provided.
Technical description is provided.
Code quality
The development environment is configured.
Test coverage
Code coverage of the project is 100% (branch coverage).
Tests are not mandatory for projects with LOC \< 250.
System Overview
MarshaToken — it is a simple ERC-20 token that mints all initial supply to the deployed contract. Additional minting is not allowed.
It has the following attributes:
Name: MARSHA+
Symbol: MSA
Decimals: 18
Total supply: 8 billion tokens
Risks
If community tokens are moved to a different address, it will no longer be possible to call the burnIfNeeded() function, nor will the annual burning of community tokens be feasible.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2024-3595 | Funds lock because of denial of transfer service | Fixed | Critical | |
F-2024-3596 | Overriding inherited functions violation | Fixed | Medium | |
F-2024-3598 | Incorrect state variables updating | Fixed | Low | |
F-2024-3597 | Missing zero address validation | Fixed | Low | |
F-2024-3602 | Style guide violation | Fixed | Observation | |
F-2024-3601 | State variable default visibility is not set | Fixed | Observation | |
F-2024-3600 | State variables can be declared immutable | Fixed | Observation | |
F-2024-3599 | Floating pragma used in the contract | Fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Commit
- 0f3ad58f036ed761f78ba8670dd0725561352443
- Requirements
- https://marshafoundation.gitbook.io/marsha+-wp/→
- Technical Requirements
- https://github.com/MarshaFoundation/MarshaPlusSolidityContract/blob/main/README.md→
Contracts in Scope
contracts/MarshaPlus.sol