Professional Documents
Culture Documents
Viresfinance Security Audit - en
Viresfinance Security Audit - en
Finance
Security Audit
by Dmitrii Pichulin
09 Nov 2021
(community translation)
https://github.com/deemru/viresfinance-audit
Table of Contents
Vires.Finance
Security Audit
Survey scope 2
Project composition 2
Security 4
General 4
Administration 5
Architecture 7
RESERVE 7
MAIN 8
SETTINGS 9
Threat model 9
Potential arguments/injection attacks 11
Potential amplification attacks 12
Other recommendations 13
Conclusion 13
1
https://github.com/deemru/viresfinance-audit
Survey scope
The object of the study is the security of the project on the Waves
Mainnet.
Since the USDN and EURN price oracle and staking functionality is
the responsibility of Neutrino Protocol, the WAVES staking
distribution is the responsibility of the node owners, these
subsystems are not part of the audit.
Project composition
$main = [
['main', '3PAZv9tgK1PX7dKR7b4kchq5qdpUS3G5sYT'],
['settings', '3PJ1kc4EAPL6fxuz3UZL68LPz1G9u4ptjYT'],
['oracle-proxy', '3PFHm5TYKw4vVzj4rW8s3Yso88aD73Dai1C'],
];
$stakers = [
['staker-waves', '3PMHsJn1G4ngd6A4dyZpaSMiQmr4XJiDuym'],
['staker-usdn', '3P23drfMhqqouvzpt3xUyGwjVX8P8qAzrmi'],
['staker-eurn', '3PH9oV2vraW7z7BxbMjHjcCMg3dmBKmUyhh'],
2
https://github.com/deemru/viresfinance-audit
];
$reserves = [
['reserve', '3P8G747fnB1DTQ4d5uD114vjAaeezCW4FaM'], // WAVES
['reserve', '3PCwFXSq8vj8iKitA5zrrLRbuqehfmimpce'], // USDN
['reserve', '3PEiD1zJWTMZNWSCyzhvBw9pxxAWeEwaghR'], // USDT
['reserve', '3PGCkrHBxFMi7tz1xqnxgBpeNvn5E4M4g8S'], // USDC
['reserve', '3PBjqiMwwag72VWUtHNnVrxTBrNK8D7bVcN'], // EURN
['reserve', '3PA7QMFyHMtHeP66SUQnwCgwKQHKpCyXWwd'], // BTC
['reserve', '3PPdeWwrzaxqgr6BuReoF3sWfxW8SYv743D'], // ETH
];
$vires = [
['vires-earlybirds', '3PMqStMdARUA1KDNSrknUkQgXBVJR9Kgxko'],
['vires-minter', '3PM9SV8qsubjwfxENgsLJvP1BG2Wc2VAd7b'],
['vires-staker', '3PMrcFXJx23B9zbxxUT49z6ET6wF2dKfTdW'],
['vires-distributor', '3P2RkFDTHJCB82HcVvJNU2eMEfUo82ZFagV'],
];
Security
General
Vires.Finance smart contracts are considered from the point of view
of user funds security in general, without regard to internal
recalculation functionality.
4
https://github.com/deemru/viresfinance-audit
Administration
Automated contract analysis for fixed strings with values of
predefined keys and addresses is performed by the test-strings
script. This script finds the latest smart contract deployment
transaction, decompiles the smart contract using the Waves node, and
finds all used data records corresponding to the public keys.
5
https://github.com/deemru/viresfinance-audit
At the moment, all contract addresses have only been used to set and
update target contracts. The exception is one data transaction
setting the op_transfer_debt_paused key to true. Information has been
received from the development team that they are aware of the
ability to set this flag by the regular administration functionality
in the resume() function in the SETTINGS contract, but in this case,
the most expeditious method was used to perform contract maintenance
during an audit.
Architecture
RESERVE
The RESERVE contracts maintain the direct storage of user tokens. If
there is staking capability in a RESERVE contract, user tokens are
atomically sent to the corresponding staking systems in their
entirety through STAKER contracts. STAKER contracts are explicitly
6
https://github.com/deemru/viresfinance-audit
MAIN
RESERVE contracts are executed through the MAIN contract, as they do
not possess the completeness of user information and accounting for
VIRES token distribution.
The MAIN contract does not possess or keep records of user funds
while being the central place that summarizes the complete
information about the user in the Vires.Finance system, which allows
7
https://github.com/deemru/viresfinance-audit
SETTINGS
As noted earlier, all key contracts are connected and depend on a
centralized contract with SETTINGS settings.
Threat model
8
https://github.com/deemru/viresfinance-audit
9
https://github.com/deemru/viresfinance-audit
Note that the pauseAssetOp() function, although not public, can write
a true value on a non-standard key. It is RECOMMENDED to introduce an
additional check on the assetId argument similar to public functions
since access to this function can be extended to a group of
so-called pause-administrators.
10
https://github.com/deemru/viresfinance-audit
One exception has been found: the public realloc() function in the
VIRES-DISTRIBUTOR contract, which allows recalculating the relative
distribution rate of VIRES tokens depending on the current debt
values in RESERVE contracts. Since this function is not limited in
call frequency, the user can recalculate the distribution rate at
any point, including an artificially created moment of debt skew
within an atomic call or a single block. As a result, there is an
opportunity to influence the VIRES token distribution’s relative
speed artificially.
Other recommendations
Conclusion
11
https://github.com/deemru/viresfinance-audit
Other issues found as part of the audit have been promptly corrected
or leveled.
12