SMART CONTRACT SECURITY AUDIT FOR COINSENDER
At Blaize, we take pride in securing the decentralized ecosystem, and our latest milestone was to conduct a comprehensive smart contract security audit for CoinSender to find and describe any security issues in the platform’s smart contracts and provide the project’s team with recommendations for the further security measures.
ABOUT THE PROJECT
CoinSender contract is a cosmwasm-based tool that simplifies batch transactions, allowing users to transfer tokens to multiple accounts in one transaction effortlessly. This tool will be helpful in many scenarios, including distributing tokens in airdrops, employee rewards, and payments to various suppliers.
Blaize auditors provide an in-depth review of the contract, validate its deployment flow, initialization, presence of necessary validations, and several more crucial places. During the testing stage, auditors check the full flow of the contract – including validation of the tx initiation, funds distribution, fees calculation, and sending to the collector account.
MAIN REQUIREMENTS
During our audit, we scrutinized the smart contract for various vulnerabilities in several stages:
1) Standard vulnerabilities checklists, including but not limited to:
- Access control flow
- Transaction-ordering dependence
- Denial-of-Service (DoS) attacks
- Storage issues (uninitialized, unused, etc.) and incorrect local variable usage
- Initialization issues
and other potential vulnerabilities and attack vectors;
2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;
3) Review of fees structure, correct funds flows, validation of Cosmos accounts, all verified with appropriate integration tests;
4) Our own internal security checklists, additionally verified during the testing stage. The team had the main focus on verifying the correctness of fees calculations and correct funds distribution among recipients.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Our audit process encompassed manual and testing stages:
MANUAL AUDIT STAGE
- Manual line-by-line code review by 2 security auditors with crosschecks and validation from the security lead;
- Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
- Business logic inspection;
- Protocol decomposition and components analysis with building interaction schemes and sequence diagrams;
- Storage usage review;
- Math operations and calculations analysis;
- Access control and roles structure review;
- Review of dependencies, 3rd parties, and integrations;
- Review with automated tools and static analysis;
- Code quality, documentation, and consistency review.
TESTING STAGE
- Development of edge cases based on manual stage results;
- False positives validation;
- Integration tests for checking connections with 3rd parties;
- Manual exploratory tests over the locally deployed protocol;
- Checking the existing set of tests and performing additional unit testing;
Upon completion of the audit, we delivered a comprehensive smart contract security analysis report to the CoinSender team. This report included:
- Identified risks
- Potential mitigations
- Detailed vulnerability assessments
- Recommendations for improvements
GET BLAIZE.SECURITY TO ENSURE THE HIGH-LEVEL SECURITY OF YOUR PROJECT. VISIT OUR WEBSITE.
AUDIT RESULT
The Blaize Security team successfully conducted an audit of the CoinSender protocol.
There were no critical findings, found issues are related to missing validations, missed edge cases processing (found during the testing stage), and code quality connected problems. All issues were resolved or verified by the CoinSender team.
However, to ensure the security of the contract, the Blaize.Security team suggests that the CoinSender team follow the post-audit steps:
- launch active protection over the deployed contracts to have a system of early detection and alerts for malicious activity. We recommend the AI-powered threat prevention platform VigiLens, by the CyVers team.
- launch a bug bounty program to encourage further active analysis of the smart contracts.
In conclusion, the CoinSender smart contract demonstrated a high level of security, estimated by Blaize as Highly Secure at 9.9 out of 10.
The code is well-organized and self-declaring, with good native test coverage. Therefore, the contract is verified to be secure for the usage.
The audit document with the full list of identified vulnerabilities and recommendations for their improvements can be found below:
CoinSender-audit-report