This is the report from a security audit performed on CORION platform by Dexaran. The audit focused primarily on the fault tolerance of the system. I can conclude that smart-contracts were not in the final state at the time of the audit start, and the changes were applied during the audit process, which made it more time consuming.
The whole system is modular. Contracts are upgradeable. The debug mode allows to intervene into contracts workflow to fix any error during the contracts workflow.
I will not describe each reported issue and each function here because of the size of the contracts. All the work is transparently available on github repo.
In total, 78 issues were reported including 6 critical issues(#1, #2, #3, #4, #5, #6), 2 compiler-related issues (#1, #2), 1 EVM-related issue (#1).
A version of CORION platform ( commit hash bbb992e14b02d00669c4f4653f0f97a4aacf59d1
) was deployed on Rinkeby testnet.
Two sessions of bug bounty were launched.
The whole system of CORION smart-contracts is very complex and interaction between contracts is complicated also. Contracts were not in the final state at the time of the audit beginning. Suggested changes were applied during the audit process. The system was not fully covered with automated tests.
As the result it was impossible to test every aspect and fully cover the whole system with tests due to limited time frame.
Code is hard to read, hard to verify which increases the probability of mistake and makes it harder to track them.
The code is complicated by functionality that is not necessary for the workflow of contracts. Since any part of code potentially creates a field for error, I would recommend to exclude unnecessary functions from the contracts.
Such are:
-
Approval functionality. Deprecated functionality due to fix of stack depth attack at EIP 150.
-
The restrictions that the CORION Foundation sets for itself. #1 and #2.
Not all contracts were finished at the moment of audit. Some changes were made very recently. Every new change and bug fix has a probability of introducing new bugs/flaws that should also be tracked.
Due to the lack of testing coverage and recent changes, I recommend to complete the development of the whole contracts system first.
A full and complex testing of the whole system must be performed after the final version of contracts will be established to cover recent updates. It is highly recommended to deploy the whole finished system on testnet first.
Also, I would recommend to launch a bug bounty on the whole system of contracts after finalizing of the development of all contracts.
I will recommend to apply changes before deploying contracts.
any guarantee that they'll fix and audit again after completeness?