SMART CONTRACT SECURITY AUDIT FOR 01NODE
At Blaize, we take pride in securing the decentralized ecosystem, and our latest milestone was to conduct a comprehensive smart contract security audit for 01node. With a commitment to ensuring the safety and trustworthiness of blockchain projects, we meticulously examined the smart contracts of 01node to identify vulnerabilities and provide actionable recommendations.
ABOUT THE PROJECT
With a portfolio spanning over 30 carefully selected networks, 01node has been a pioneering force in the staking revolution since its establishment in 2019. This visionary project has empowered countless individuals to actively participate in the decentralized economy actively, amassing over 70 million assets staked with them.
Our audit focused on scrutinizing the security of the smart contracts underpinning the 01node protocol. The primary objective was to identify and describe any security issues within these contracts. Our audit scope encompassed all tests, scripts, documentation, and requirements outlined by the 01node team. It also included an evaluation of the contract code using the Hardhat framework tests and scripts, additional testing strategies, and manual and exploratory rounds.
During our audit, we scrutinized the smart contract for various vulnerabilities in several stages:
1) Standard vulnerabilities checklists, including but not limited to:
- Gas limit and loops
- Transaction-ordering dependence
- Unchecked external calls
- Denial-of-Service (DoS) attacks
- Malicious libraries and injections
- Storage issues (uninitialized, unused, etc) and incorrect local variables usage
- Upgradeability issues
and others potential Solidity vulnerabilities and attack vectors;
2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections and other flow related issues;
3) Review of dependencies, integrations and 3rd parties, verified with appropriate integration tests;
4) Our own internal security checklists, additionally verified during the testing stage. The team had the main focus on verifying the correctness of implemented liquid staking mechanics.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Our audit process encompassed manual and testing stages:
1.MANUAL AUDIT STAGE
- Manual line-by-line code review by 2 security auditors with crosschecks and validation from the security lead;
- Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
- Business logic inspection;
- Protocol decomposition and components analysis with building an interaction schemes and sequence diagrams;
- Storage usage review and gas optimization review;
- Math operations and calculations analysis;
- Access control and roles structure review;
- Review of dependencies, 3rd parties, and integrations;
- Review with automated tools and static analysis;
- Code quality, documentation, and consistency review.
- Development of edge cases based on manual stage results;
- False positives validation;
- Integration tests for checking connections with 3rd parties;
- Manual exploratory tests over the locally deployed protocol;
- Checking the existing set of tests and performing additional unit testing;
Upon completion of the audit, we delivered a comprehensive smart contract security analysis report to the 01node team. This report included:
- Identified risks
- Potential mitigations
- Detailed vulnerability assessments
- Recommendations for improvements
SMART CONTRACT AUDIT IS A TOOL TO ENHANCE THE LEVEL OF SECURITY FOR YOUR PROJECT. LEARN MORE ON BLAIZE WEBSITE.
The Blaize Security team successfully conducted an audit of the 01node protocol, a platform enabling users to stake ETH and earn rewards in the form of LiquidETH tokens. Our audit encompassed staking, withdrawals, storage management, and the rewards system. While the smart contract’s overall security was robust, several critical and high-risk issues were identified during the audit.
The audit unearthed a critical issue related to the reward balance for users, which was reset when a new validator was added. Several high-risk problems were also discovered, including issues with the old ETH transfer method, variable value writing, and storage updating. The diligent 01node team successfully addressed all identified issues.
Further findings pertained to the lack of events, variable validation and usage, and optimization opportunities related to gas usage. These issues were also rectified during the audit process.In conclusion, the 01node smart contract demonstrated a high level of security, which was estimated by Blaize as Highly Secure at 9.7 out of 10. However, it’s imperative for the 01node team to provide smart contract unit tests and technical documentation to maintain the integrity of the project during future development phases. Enhancing code quality for readability and optimization is also advisable. Our team has rigorously tested the protocol and confirmed its adherence to essential security checks. Trust in the security and reliability of the 01node protocol remains well-placed.
See the complete list of found vulnerabilities and recommendations about their improvements in this document:01node-audit-report_compressed