Beluga Protocol Security Audit Report

BSC_BelugaProtocol_security_audit.md

Beluga Protocol security audit report

Summary

This is the report from a security audit performed on Beluga Protocol by gorbunovperm.

Beluga Protocol

https://belugaprotocol.org/

In scope

Commit hash: 84c33c8ca90f4a6d3ed2115bd7b2d90bf595abc9

https://github.com/belugaprotocol/beluga-protocol/tree/84c33c8ca90f4a6d3ed2115bd7b2d90bf595abc9

Findings

In total, 3 issues were reported including:

• 0 high severity issue.

• 1 medium severity issues.

• 1 low severity issues.

• 0 owner privileges.

• 1 note.

Security issues

3.1. NoMintRewardPool is not defined

Severity: low

Description

NoMintRewardPool contract is not defined. Perhaps we are talking about a StakingRewards contract from RewardsPool.sol

Code Snippet

• Autostake.sol, NoMintRewardPool
• RewardsPool.sol, StakingRewards

3.2 tx.origin is vulnerable

Severity: medium

Description

RewardPool.sol uses construction tx.origin to allow only the initiators of the transaction to collect the reward. This can lead to the blocking of many users who use smart contracts for convenience and security. For example, users using multisig contracts will not be able to use this contract.

More info about tx.origin vulnerabilities: ethereum/solidity#683

Code snippet

• RewardPool.sol, tx.origin

• Autostake.sol, tx.origin

• Vault.sol, tx.origin

• VestedRewardPool.sol, tx.origin

3.3. Known vulnerabilities of ERC-20 token

Severity: low

Description

• It is possible to double withdrawal attack. More details here

• Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Conclusion

There are some dangerous vulnerabilities were discovered here.