Audit name:

[SCA] Marsha+ Foundation / Token / Nov2023

Date:

Jun 6, 2024

Table of Content

Introduction

Audit Summary

System Overview

Risks

Findings

Appendix 1. Severity Definitions

Appendix 2. Scope

Disclaimer

Introduction

We express our gratitude to the Marsha+ Foundation team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Document

NameSmart Contract Code Review and Security Analysis Report for Marsha+ Foundation
Audited By
Approved ByYves Toiser
Websitehttps://www.marshafoundation.org/
Changelog03/11/2023 - Preliminary Report --16/11/2023 - Final Report –- This report has been reissued on 05/06/2024 because of a change of repository
PlatformEVM
LanguageSolidity
TagsERC20
Methodologyhttps://hackenio.cc/sc_methodology

Review Scope

Repositoryhttps://github.com/MarshaFoundation/MarshaPlusSolidityContract/
Commit0f3ad58f036ed761f78ba8670dd0725561352443

Audit Summary

8Total Findings
8Resolved
0Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Functional requirements are provided.

  • Technical description is provided.

Code quality

  • The development environment is configured.

Test coverage

Code coverage of the project is 100% (branch coverage).

  • Tests are not mandatory for projects with LOC \< 250.

System Overview

MarshaToken  — it is a simple ERC-20 token that mints all initial supply to the deployed contract. Additional minting is not allowed.

It has the following attributes:

  • Name: MARSHA+

  • Symbol: MSA

  • Decimals: 18

  • Total supply: 8 billion tokens

Risks

If community tokens are moved to a different address, it will no longer be possible to call the burnIfNeeded() function, nor will the annual burning of community tokens be feasible.

Findings

Code
Title
Status
Severity
F-2024-3595
Funds lock because of denial of transfer service
Fixed

Critical
F-2024-3596
Overriding inherited functions violation
Fixed

Medium
F-2024-3598
Incorrect state variables updating
Fixed

Low
F-2024-3597
Missing zero address validation
Fixed

Low
F-2024-3602
Style guide violation
Fixed

Observation
F-2024-3601
State variable default visibility is not set
Fixed

Observation
F-2024-3600
State variables can be declared immutable
Fixed

Observation
F-2024-3599
Floating pragma used in the contract
Fixed

Observation
1-8 of 8 findings

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

Severity

Description

Critical
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

High
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

Medium
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

Low
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Contracts in Scope

contracts
MarshaPlus.sol - contracts/MarshaPlus.sol

Disclaimer