Skip to content

Instantly share code, notes, and snippets.

@SakshamGuruji3
Last active June 11, 2023 18:30
Show Gist options
  • Save SakshamGuruji3/8998cc3fda3eae4ef9fb0a5f318470ed to your computer and use it in GitHub Desktop.
Save SakshamGuruji3/8998cc3fda3eae4ef9fb0a5f318470ed to your computer and use it in GitHub Desktop.

EnduraCoin Audit Report

Audit done by saksham

In Scope

https://github.com/CallistoSecurity/EnduracoinToken/tree/main

Findings

Incomplete Implementation Of The Pause Functionality

Severity - medium

Description

In the EnduraCoinToken contract pause functionality has been integrated using the OZ's pausable library , and pause and unpause methods have been introduced. But all the critical functions lack the check to see if the contract is in paused state or not , for example mint can be called to mint ENDC even when contract is paused.

https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L31 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L37 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L41

Rounding Will Give Incorrect uptime Value

Severity - medium

Description

In the EnduracoinValue contract here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L13 we calculate the uptime , but this time would be incorrect as , for example if 18.9 days have passed since the startTime , uptime would be 18. Due to this when we calculate timestampOfLastVGAChange here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L27 , we will get the timestamp of startDate + 18 days converted to seconds , while the correct timestamp should have been 18.9 + startDate.

Recommendation

Use simple block.timestamp instead

baseValue Won't Update If setDailyValueGainAdjustment Is Called Within A Day

Severity - medium

Description:

Let's assume setDailyValueGainAdjustment is called , now timestampOfLastVGAChange is set to today. Now if the function is called again , but within 24 hrs , baseValue calculated here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L44 would be unchanged (((block.timestamp - timestampOfLastVGAChange) / 86400) would be 0) AND the value would of VGA be updated to the new value.

Recommendation:

Add a timlock for 1 day for setDailyValueGainAdjustment

Calculated baseValue would be less than expected

Severity - unknown , might be intended behavior

Description

When we call setDailyValueGainAdjustment to update the value of dailyValueGain , it calls updateValue here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L26 which recalculates baseValue here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L44 , which updates it according to the time passed between two updates. But if let's say 18.9 days have passed between the two updates , the baseValue would be adjusted by 18 days (due to rounding) and the resulting value would be lesser.

Similar rounding happens in getCurrentValue() here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L53 Use block.timestamp instead

getCurrentValue() Gives Wrong Result When timestampOfLastVGAChange Is Within A Day

Severity - low

Description

We calculate current value here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L51 , if block.timestamp - timestampOfLastVGAChange) / 86400) == 0 meaning time elapsed since last VGA change is within a day , it returns baseValue + dailyValueGain , which is wrong . Since 0 days have passed since the last update daily value gain must be 0 , therefore the returned value should be just baseValue

Consider to make the burn function public (without onlyOwner)

Severity - note

Assume a case where all 50 Billion of the tokens are minted to other users(through a series of burn and mints) , now the owner or let's say the protocol needs to burn some tokens , but they can't as burn won't work (owner has 0 tokens) and users have not allowed owner to burn. In cases like these users should be able to burn.

Public functions not used internally an be marked external

Severity - note

Instances:

https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L23 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L27 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L31 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L37 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L41 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L62 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L68 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L123 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L131

beforeTokenTransfer Can be removed as it is not used

Severity - note

In the EnduraCoinToken contract the function beforeTokenTransfer can be removed as it is not used(cause notransfer of tokens is implemented) https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L50

Use scientific notation instead of using decimal representation for readability

Severity - note

Use scientific notation instead of using decimal representation for readability , example here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinToken.sol#L16 use 5*1e9 ,

https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L14 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L33

Consider using a fresh startDate

Severity - note

Currently the code https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L12 uses 1 Jan 2023 as the start date which is used to calculate uptime which is used to calculate baseValue. For meaningful results set the startDate to the date when the contract will be deployed , or set it in the constructor on deployment.

Redundant Code

Severity - note

There are a couple of instances where a line of code can be omitted.

Example 1 - https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L28

No need for the above as value is already set here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L45

Example 2 - https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L61

No need for this as we already check this condition here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L33

onlyOwner can be removed from view functions

Severity - note

There is no purpose of having a onlyOwner modifier on view functions , it just hinders decentralisation , consider removing them.

https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L51 https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L56

If the number is big enough , it would result in too much gas consumption in the convertToString function

Severity - gas

Here https://github.com/CallistoSecurity/EnduracoinToken/blob/main/EnduracoinValue.sol#L51 at every iteration the length is calculated , this would result in huge gas consumption if the number of bytes are big enough. Consider caching the length of the number of bytes.

Missing docstrings

Severity - note

Many functions in the code base lack documentation. This hinders reviewers’ understanding of the code’s intention, which is fundamental to correctly assess not only security, but also correctness. Additionally, docstrings improve readability and ease maintenance. They should explicitly explain the purpose or intention of the functions, the scenarios under which they can fail, the roles allowed to call them, the values returned and the events emitted.

Consider thoroughly documenting all functions (and their parameters) that are part of the contracts’ public API. Functions implementing sensitive functionality, even if not public, should be clearly documented as well. When writing docstrings, consider following the Ethereum Natural Specification Format (NatSpec).

Missing test suite

Severity - note

The codebase is missing a detailed test suite , building a test suite with 100% coverage is essential in the development and testing of a protoco/project.

@yuriy77k
Copy link

@yuriy77k
Copy link

Rounding Will Give Incorrect uptime Value

Rounding is not an issue here, because uptime is calculated in full days.

@yuriy77k
Copy link

baseValue Won't Update If setDailyValueGainAdjustment Is Called Within A Day

It's not an issue. dailyValueGain applied only for a full day. If setDailyValueGainAdjustment is called within the same day, baseValue shouldn't be updated again.

@yuriy77k
Copy link

Calculated baseValue would be less than expected

Not an issue.

baseValue calculated on a daily basis. It doesn't need to take into account unfinished day.

@yuriy77k
Copy link

beforeTokenTransfer Can be removed as it is not used

it is used to implement whenNotPaused modifier.

@yuriy77k
Copy link

yuriy77k commented Jun 11, 2023

If the number is big enough , it would result in too much gas consumption in the convertToString function

It is not an issue. The maximum number of iterations for UINT256 is 78, and it does not cause gas issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment