Introduction
We express our gratitude to the Zignaly team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Zignaly is a cryptocurrency investment platform that offers automated trading services, profit-sharing with professional traders, and copy trading features for both novice and experienced investors.
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Zignaly
- Audited By
- Viktor Raboshchuk
- Approved By
- Grzegorz Trawinski
- Website
- https://zignaly.com/→
- Changelog
- 20/08/2024 - Preliminary Report; 21/08/2024 - Final Report
- Platform
- Ethereum
- Language
- Solidity
- Tags
- Staking
- Methodology
- https://hackenio.cc/sc_methodology→
Review Scope
- Commit
- fb54aa3
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Documentation quality
Functional requirements are detailed.
Technical description is detailed.
Run instructions are provided.
Technical specification is provided.
The NatSpec documentation is sufficient.
Code quality
The code follows the Solidity style guide.
The development environment is configured.
Test coverage
Code coverage of the project is 100% (branch coverage).
Deployment and basic user interactions are covered with tests.
Negative cases coverage is present.
Interactions by several users are not tested thoroughly.
System Overview
Zignaly is a staking protocol with the following contracts:
ZigStaking.sol — smart contract designed for staking ERC-20 ZigCoin tokens. Users can stake tokens, which are then held in the contract, and can later unstake and withdraw tokens based on certain conditions
Privileged roles
The owner of the ZigStaking contract is able change the staking status of the contract between "released" and "locked" states. When staking is "released," users can withdraw their staked tokens without any penalties. When toggled to "locked," users must wait through the penalty period before withdrawing their tokens
Risks
The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations like minting phases. The toggleStakeStatus function can be called at any time, allowing the owner to enable or disable staking suddenly. This unrestricted control over critical functions like staking status exacerbates the risk of unpredictable contract behavior, further undermining user confidence.
The calculation of staking rewards distribution relies on off-chain processes, using events to log stake and unstake dates that are later read by a backend system. This approach introduces a risk related to data integrity and transparency. Since the reward calculation and distribution are handled outside the blockchain, there is potential for discrepancies or manipulation in the data processing, which could lead to inaccurate reward allocations.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2024-5411 | Mismatch Between Documentation and Implementation | Fixed | Low | |
F-2024-5409 | Lack of Two Step Ownership Transfer Mechanism | Fixed | Low | |
F-2024-5408 | Missing Input Validation in Staking Constructor | Fixed | Low | |
F-2024-5434 | Missing Events Emitting for toggleStakeStatus Function | Fixed | Observation | |
F-2024-5410 | Ambiguous BadIndex Error Naming in withdrawTokens Function | Fixed | Observation |
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Commit
- fb54aa33a735c40f9bfc7d144e17faeb93fac86b
- Whitepaper
- -
- Technical Requirements
- https://github.com/zignaly-open/staking_smartcontract/blob/main/README.md→
Contracts in Scope
contracts/ZigStaking.sol