AlexGo AuditLaunchpad, Yield Vault and Collateral Rebalancing Pool

Home » AlexGo AuditLaunchpad, Yield Vault and Collateral Rebalancing Pool

Introduction

CoinFabrik was requested to audit the contracts for the AlexGo undertaking. First we are going to
present a abstract of our discoveries after which we are going to present the main points of our
findings.

Scope

The contracts audited are from the https://github.com/alexgo-io/alex-v1 git
repository. The audit is predicated on the commit
e268fd53370be3a271625bd45523ae07cb1239ac.

The audited contracts are:

readability/contracts/pool/alex-launchpad-v1-1.clar: Launchpad
contract for IDO creation.
readability/contracts/pool/collateral-rebalancing-pool.clar:
Contract for collateral-token pool creation.
readability/contracts/pool/yield-vault-alex.clar: Vault for yield
tokens.

The scope of the audit is proscribed to these recordsdata. No different recordsdata on this repository have been
audited. Its dependencies are assumed to work in response to their documentation.
Additionally, no assessments have been reviewed for this audit.

Analyses

With out being restricted to them, the audit course of included the next analyses:

● Arithmetic errors
● Race situations
● Misuse of block timestamps
● Denial of service assaults
● Extreme gasoline utilization
● Needlessly advanced code and contract interactions
● Poor or nonexistent error dealing with
● Inadequate validation of the enter parameters
● Centralization and upgradeability
● Weak authentication

Abstract of Findings

We discovered a medium problem and a minor problem. Additionally, two enhancements have been
proposed.
The 2 points have been acknowledged.

Safety Points

Privileged Roles

These are the privileged roles that we recognized on every of the audited contracts.

alex-launchpad-v1-1

Proprietor

The proprietor is the one function which might create ticket swimming pools, required to begin an IDO. It
can be able to offering tickets to a pool, calling the claiming and refunding
perform with out ready for the grace interval to finish, and transferring the whole
steadiness of a particular token to the proprietor.

Permitted Operator

This function can even present tickets to a pool and name the claiming and refunding
features with out ready for the grace interval to finish.

IDO Proprietor

The IDO homeowners can add tickets to their pool and name the claiming and refunding
features with out ready for the grace interval to finish.

Safety Points Discovered

Severity Classification

Safety dangers are categorized as follows:

● Important: These are points that we handle to use. They compromise the
system critically. They should be fastened instantly.
● Medium: These are probably exploitable points. Though we didn’t
handle to use them or their influence is just not clear, they could signify a
safety threat within the close to future. We propose fixing them as quickly as attainable.
● Minor: These points signify issues which can be comparatively small or troublesome
to reap the benefits of however will be exploited together with different points.
These sorts of points don’t block deployments in manufacturing environments.
They need to be taken into consideration and be fastened when attainable.

Points Standing

A problem detected by this audit can have 4 distinct statuses:

● Unresolved: The problem has not been resolved.
● Acknowledged: The problem stays within the code however is a results of an intentional
resolution.
● Resolved: Adjusted program implementation to eradicate the chance.
● Partially resolved: Adjusted program implementation to eradicate a part of the
threat. The opposite half stays within the code however is a results of an intentional
resolution.
● Mitigated: Applied actions to attenuate the influence or probability of the
threat.

Important Severity Points

No points discovered.

Medium Severity Points

ME-01 Launchpad: Full Distribution not Assured

Location:

● readability/contracts/pool/alex-launchpad-v1-1.clar:258-287

Launchpad randomness depends on shifting positions alongside a series of tickets, the place
the gap of every step is decided by a random quantity generator, and for
every place the place it stops, that ticket is decided as a winner. Every random
quantity is the results of a better quantity modulus a predefined max_step. This
predefined worth is normal for every IDO and its method (simplified for this
rationalization) is:

The place registered is the variety of tickets registered within the IDO by the gamers,
and winners is the quantity of winner tickets the distribution can have.

As a consequence, full distribution is barely assured when

method register quantity

as a result of max_step outcomes in a single or lower than one, and subsequently each participant wins.

Then again, if that relation is just not happy, fewer tickets could be distributed.
As a transparent instance, if there have been just one winner ticket accessible and just one
ticket registered, max_step could be equal to 1.5. The participant would win if the
place after the step falls between 0 and 1. Due to this fact, this participant has a likelihood
of successful of simply 66.67% in a single-player IDO.

Advice

If there are remaining tickets, a brand new spherical must be initiated, with the max_step
worth adjusted to this quantity.

Standing

Acknowledged. The advice might be integrated into the next IDOs.

Minor Severity Points

MI-01 Launchpad: Tokens Locked because of Incomplete Distribution

Location:

● readability/contracts/pool/alex-launchpad-v1-1.clar:258-287

If the tokens usually are not distributed due to the problem described in ME-01, they may
be locked within the contract except the contract proprietor calls
transfer-all-to-owner(), which is able to switch the tokens again to the proprietor.

Advice

If ME-01 stays unresolved, the IDO proprietor ought to have the ability to extract these tokens.

Standing

Acknowledged. The event crew thought-about the situations of this problem
unlikely to be happy.

Enhancements

These things don’t signify a safety threat. They’re finest practices that we
counsel implementing.

Desk

Particulars

EN-01 Launchpad: Pointless Assertions

Location:

● readability/contracts/pool/alex-launchpad-v1-1.clar:269,353

A block’s VRF seed will be taken from a block already mined, a previous block. The seed
used for the IDOs is from the block after the registration ends. Nonetheless, the
assertions in strains 269 and 353 checks 𝑏𝑙𝑜𝑐𝑘𝐻𝑒𝑖𝑔ℎ𝑡 ≥ 𝑟𝑒𝑔𝑖𝑠𝑡𝑟𝑎𝑡𝑖𝑜𝑛𝐸𝑛𝑑𝐻𝑒𝑖𝑔ℎ𝑡,
whereas it could additionally fail as a result of the seed can’t be taken if present block peak is at
registration finish or the block after it.

Furthermore, the assertion in claim-process() won’t ever fail as a result of
get-last-claim-walk-position() known as earlier than, and it’ll revert if the seed is
not accessible.

Standing

Not carried out. The corresponding fixes are deliberate to be carried out within the
following iterations.

EN-02 Yield Vault: Deceptive Response

Location:

● readability/contracts/pool/yield-vault-alex.clar:161

If activated is the same as false, the response might be (okay true), even when solely the
rewards are claimed, and they don’t seem to be staked.

Standing

Not carried out. The corresponding fixes are deliberate to be carried out within the
following iterations.

Different Issues

The concerns acknowledged on this part usually are not proper or fallacious. We don’t counsel
any motion to repair them. However we think about that they could be of curiosity for different
stakeholders of the undertaking, together with customers of the audited contracts, homeowners or
undertaking traders.

Centralization

Launchpad’s claiming and refunding features are public and would not have
restrictions to be known as by the customers, when a grace interval is handed. Nonetheless, the
claiming features require an inventory of winners ordered in sequence as an enter. As a
consequence, if the off-chain job can’t be run, customers might want to work out the
sequence and pay the price of, not less than, the claiming of each person earlier than them.
The refunding features want the claiming perform to be known as earlier than as a result of
refund is barely accessible when it’s confirmed on-chain that the ticket is just not a winner
ticket.
Furthermore, launchpad contract proprietor can switch all of the tokens within the contract’s
steadiness.

Changelog

● 2022-04-08 – Preliminary report based mostly on commit
e268fd53370be3a271625bd45523ae07cb1239ac.
● 2022-04-19 – Ultimate report based mostly on suggestions supplied by the event
crew.

Disclaimer: This audit report is just not a safety guarantee, funding recommendation, or an
approval of the AlexGo undertaking since CoinFabrik has not reviewed its platform.
Furthermore, it doesn’t present a wise contract code faultlessness assure.

Leave a Reply

Your email address will not be published.