We express our gratitude to the Marsha+ Foundation team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Document | |
---|---|
Name | Smart Contract Code Review and Security Analysis Report for Marsha+ Foundation |
Audited By | |
Approved By | Yves Toiser |
Website | https://www.marshafoundation.org/→ |
Changelog | 03/11/2023 - Preliminary Report --16/11/2023 - Final Report –- This report has been reissued on 05/06/2024 because of a change of repository |
Platform | EVM |
Language | Solidity |
Tags | ERC20 |
Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
---|---|
Repository | https://github.com/MarshaFoundation/MarshaPlusSolidityContract/→ |
Commit | 0f3ad58f036ed761f78ba8670dd0725561352443 |
The system users should acknowledge all the risks summed up in the risks section of the report
Functional requirements are provided.
Technical description is provided.
The development environment is configured.
Code coverage of the project is 100% (branch coverage).
Tests are not mandatory for projects with LOC \< 250.
MarshaToken — it is a simple ERC-20 token that mints all initial supply to the deployed contract. Additional minting is not allowed.
It has the following attributes:
Name: MARSHA+
Symbol: MSA
Decimals: 18
Total supply: 8 billion tokens
If community tokens are moved to a different address, it will no longer be possible to call the burnIfNeeded()
function, nor will the annual burning of community tokens be feasible.
Code ― | Title | Status | Severity | |
---|---|---|---|---|
F-2024-3595 | Funds lock because of denial of transfer service | Fixed | Critical | |
F-2024-3596 | Overriding inherited functions violation | Fixed | Medium | |
F-2024-3598 | Incorrect state variables updating | Fixed | Low | |
F-2024-3597 | Missing zero address validation | Fixed | Low | |
F-2024-3602 | Style guide violation | Fixed | Observation | |
F-2024-3601 | State variable default visibility is not set | Fixed | Observation | |
F-2024-3600 | State variables can be declared immutable | Fixed | Observation | |
F-2024-3599 | Floating pragma used in the contract | Fixed | Observation |
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
---|---|
Repository | https://github.com/MarshaFoundation/MarshaPlusSolidityContract/→ |
Commit | 0f3ad58f036ed761f78ba8670dd0725561352443 |
Whitepaper | https://marshafoundation.gitbook.io/marsha+-wp/→ |
Requirements | https://marshafoundation.gitbook.io/marsha+-wp/→ |
Technical Requirements | https://github.com/MarshaFoundation/MarshaPlusSolidityContract/blob/main/README.md→ |
contracts/MarshaPlus.sol