Introduction
We express our gratitude to the SOLIDUS AI TECH team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
The Payment smart contract facilitates the deposit and withdrawal of AITech tokens for payment purposes. It allows users to withdraw in AITech or other ERC20, with other ERC20 withdrawals executed via PancakeSwap for specific users.
Document
- Name
- Smart Contract Code Review and Security Analysis Report for SOLIDUS AI TECH
- Audited By
- Turgay Arda Usman, Kornel Światłowski
- Approved By
- Grzegorz Trawinski
- Website
- https://ai.aitech.io/→
- Changelog
- 12/07/2024 - Preliminary Report; 22/07/2024 - FInal Report
- Platform
- BNB Smart Chain
- Language
- Solidity
- Tags
- Swap
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope
- Commit
- 2878eebb09891d375837299301fc55ab13ed44d9
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are detailed.
Technical description is detailed.
Code quality
The code mostly follows best practices and style guides.
See low and informational issues for more information.
The development environment is configured.
Test coverage
Code coverage of the project is 100% (branch coverage).
Deployment and basic user interactions are covered with tests.
System Overview
The Payment smart contract facilitates the deposit and withdrawal of AITech tokens for payment purposes. It allows users to withdraw in AITech or other ERC20, with other ERC20 withdrawals executed via PancakeSwap for specific users. The contract manages fee allocation, staking, and burning of tokens during deposits. It ensures secure transactions through signature verification and includes functions to update configurations and handle emergencies. The contract also incorporates mechanisms to pause operations during maintenance or upgrades.
Privileged roles
Admin can approve Pancake SwapRouter to use AITech token for swapping.
Admin can revokes the approval of the PancakeSwap router to spend AITECH tokens.
Admin can set the AITech token address, to migrate to new AITech token contract.
Admin can set the PancakeSwap router address.
Admin can set the signer address to use its private key to sign the withdraw request.
Admin can configure system staking rate.
Admin can configure system burn rate.
Admin can configure system fee rate.
Admin can configure system minimum and maximum withdraw amount.
Admin can configure staking wallet.
Admin can configure fee wallet.
Admin can emergency transfer any token from the contract to any address. This function is used only when any unexpected issue occurs.
Risks
Interactions with External DeFi Protocols: Dependence on external DeFi protocols inherits their risks and vulnerabilities. This might lead to direct financial losses if these protocols are exploited, indirectly affecting the audited project.
Owner's Unrestricted State Modification: The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations like minting phases.
Coarse-grained Authorization Model Risks: The broad authorization model increases the risk of protocol control loss if any authorized address is compromised, potentially leading to unauthorized actions and significant financial loss.
Single Points of Failure and Control: The project is fully or partially centralized, introducing single points of failure and control. This centralization can lead to vulnerabilities in decision-making and operational processes, making the system more susceptible to targeted attacks or manipulation.
System Reliance on External Contracts: The functioning of the system significantly relies on specific external contracts. Any flaws or vulnerabilities in these contracts adversely affect the audited project, potentially leading to security breaches or loss of funds.
The current version of the code does not support fee-on-transfer tokens. Adding such tokens in the future can create risks.
A signature from the protocol's centralized backend is needed to withdraw the previously deposited funds. This mechanism carries a potential risk, as it could be vulnerable to unauthorized funds access or misuse, potentially leading to funds locks, unauthorised funds access, and compromising user assets.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2024-4256 | Fees Change Can be Frontrunned | Fixed | Medium | |
F-2024-4258 | Missing Checks for Zero Address | Fixed | Low | |
F-2024-4244 | Redundant Assignment of _isPaused Variable Increases Gas Consumption | Fixed | Observation | |
F-2024-4243 | Public Functions Should Be Declared as External | Fixed | Observation | |
F-2024-4242 | Use of transfer() to Send Native Assets may Revert | Fixed | Observation | |
F-2024-4240 | Redundant Import | Fixed | Observation | |
F-2024-4239 | Floating Pragma | Accepted | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Repository
- provided as a file
- Commit
- 2878eebb09891d375837299301fc55ab13ed44d9
- Whitepaper
- -
- Requirements
- provided as a file
- Technical Requirements
- provided as a file
Contracts in Scope
contracts/Payment.solcontracts/PaymentConstant.sol