Wibson Smart Contract Audit

The engagement was technical in nature and focused on identifying security flaws in the design and implementation of the contracts, finding differences between the contracts’ implementation and their behavior as described in public documentation, and finding any other issues with the contracts that may impact their trustworthiness. Wibson provided New Alchemy with access to the relevant source code and whitepapers.

The audit was performed over two days. This document describes the issues discovered in the audit.

Note: The initial version of this document was provided to Wibson who then made various changes to their smart contract source code based upon New Alchemy’s findings. This document now consists of the original and unchanged, other than typos and an updated inheritance chart, audit report (v1.0) overlaid with re-test results (v2.2). Re-test results are reflected in each issue title as ‘Fixed’, ‘Partially Fixed’, ‘Not Fixed’ or ‘Informational’. Supporting re-test commentary is attached to a bolded ‘Re-test v2.1:’ prefix and placed at the end of the relevant section. The bulk of the re-test content relates to an examination of individual issues, along with brief comments in the executive summary and files audited sections. All figures are from the initial version of the document.

The two smart contracts consisted of two source files, 53 passing tests and documentation. The contracts implement token vesting functionality. Overall they demonstrated use of established libraries, testing methods, and standard practices.

The audit identified issues with impacts ranging from moderate to very minor. The more significant findings involve

While the test cases were not in scope, they were helpful to explore and confirm issues. The whitepaper and README.mdwere considered the primary documentation for intended functionality. A majority of the code was standard and copied from widely-used and reviewed contracts.

Re-test v2.1: New Alchemy has discussed the prior audit results with Wibson, advised on efficient and effective mitigation approaches, and inspected the resulting smart contract code provided for re-testing. New Alchemy has concluded:

The specific files making up the complete deployed package include the following:

Re-test v2.1: The revised contracts after the initial report was delivered are in commit a19173c9f5c98c601ad94a531e48e0b2668c645a.

New Alchemy’s audit was additionally guided by Tokens.Distribution.for.Launch.pdf, shasum cbcba511a863aef4b560ccb67fea3628e017cc25.

The repository contained 53 truffle-based tests that ran and passed out of the box without requiring modifications. While New Alchemy generally utilizes the test cases to aid in inspecting and understanding the smart contract source code, they are outside of the primary security scope of the audit. Nonetheless, a large number of passing test cases is an excellent leading indicator of good quality.

No critical issues were found.

Re-test results: Wibson updated the OpenZeppelin dependency to 1.12.0.

Utilizing third-party, standardized, battle-tested components provides significant benefits in contract security. These components have a known track record and are generally carefully inspected by many people, well tested and quickly patched when vulnerabilities arise. However, many of these benefits are lost when dependencies become outdated or disconnected from their original source.

The package.json file present in the GitHub repository specifically includes the following dependency references:

Openzeppelin-solidity should be upgraded to 1.12.0 as follows:

Re-test results: Wibson added events to all 3 cases.

The common security mantra of “deter, detect, delay and respond” provides a useful mental model for consideration during smart contract development. The ‘detect’ and ‘respond’ aspects are very dependent upon logging and auditing functionality. For these reasons, New Alchemy recommends emitting events whenever significant state-changing functionality is invoked (and further differentiating between success and failure) so auditing can be performed without a difficult direct inspection of the blockchain.

Re-test results: Wibson now inherits the Claimable OpenZeppelin contract where appropriate.

In order to prevent this high-impact scenario, New Alchemy recommends implementing a two-phase ownership transfer. In this model, the original owner designates a new owner but does not actually transfer ownership. The new owner then accepts ownership and completes the transfer. This can be implemented as follows:

This section provides the fully-elaborated application binary interface (ABI) for the primary contracts as seen at runtime. The ABI defines how the contracts may be interacted with while running inside the EVM. The tables make for very easy inspection of top-level specifics including:

This section lists comments on design decisions and code quality made by New Alchemy during the review. They are not known to represent security flaws.

contracts/TokenTimelockPool.sol Lines 63, 93, 129

Solidity coding style convention prefers the explicit use of block.timestamp over its alias of now to more clearly reflect the dependence upon block mining. Also, note that this value can be manipulated by the block miner by approximately 30 seconds. It does not appear that fundamental contract integrity is dependent upon precise timestamps, but this vulnerability should be kept in mind as the code evolves.

Re-test results: Wibson now emits events in all 3 cases.

contracts/TokenTimelockPool.sol Lines 86, 127

contracts/TokenVestingPool.sol Line 95

State changing functions should emit events.

The audit makes no statements or warranties about utility of the code, safety of the code, compiler or tools stability, suitability of the business model, regulatory regime for the business model, or any other statements about fitness of the contracts to purpose, or their bug-free status. The audit documentation is for discussion purposes only.

Related posts:

The news was disturbing enough that the American Secretary of State Mike Pompeo had to personally stave off his staff’s objections over continued military support for Saudi Arabia’s war in Yemen, to…

Who is the traditional expert who acts as a guide between realities? It’s the shaman, is the magical athlete of the spirit world. Do you know how to find one? Could you have this latent ability…

Bei einem Matchmaking-Event, das er 1998 organisierte, brachte Rabbi Yaacov Deyo einen Gragger mit, den die Juden während Purims benutzen. In dieser Nacht, in einem Peet’s Coffee & Tea in Beverly…