SMART CONTRACT SECURITY AUDIT FOR EVERDUES
EverDues is a protocol that enables users to pay for subscriptions using crypto. Users can create subscriptions, which will then be used to pay for using crypto.
ABOUT THE PROJECT
Blaize Security team has conducted the audit for the EverDues protocol. The protocol represents a platform for recurring payments and subscriptions. It utilizes ERC-20 tokens to pay for subscriptions and the payment is executed automatically. All it needs from the user is to approve tokens to the protocol in advance.
The scope of the project includes EverDues’ set of contracts:
The objective of the audit was to assess the security of smart contracts against the list of common vulnerabilities as well as against the auditors’ internal check-list, check if the contracts are optimized in terms of gas consumption, and validate the security of users’ funds. It includes verifying the protocol can spend only a certain amount of a particular token to the correct destination address in a correct period. From the protocol’s perspective, it needed to be validated that users can avoid payments and that fees are properly collected.
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the EverDues protocol with the following parameters:
- Whether the funds distribution works as expected;
- Whether there is no blocking mechanisms and loopholes in the business logic;
- Whether the implemented functionality corresponds to the documentation;
- Whether contracts meet best practices in efficient use of gas and code readability.
We have scanned both sets of smart contracts for commonly known and more specific vulnerabilities:
- Unsafe types conversion and unsafe math;
- Timestamp Dependence;
- Correct roles distribution and access control flow;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- DoS attacks with (Gas Limit, unexpected reverts, storage abuse, etc.);
- Byte array vulnerabilities;
- Style guide violation;
- ERC20 standard correspondence and correct tokens usage;
- Uninitialized state/storage/ local variables;
- and several others according to our checklists
In addition, the EverDues protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review and decomposition of the system;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
At Blaize we have dealt with DeFi projects and blockchain enterprises audits multiple times. Read more about our last case with SyntheX smart contract security audit.
AUTOMATED TOOLS ANALYSIS
We scanned the contracts using several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. All issues found were verified manually.
MANUAL CODE REVIEW
We manually analyzed the smart contracts to identify potential security vulnerabilities. Our analysis involved a comparison of the smart contract logic with the description provided in the documentation.
UNIT TEST COVERAGE
The scope of the audit includes the unit test coverage, which is based on the smart contract code, documentation, and requirements presented by the EverDues team. The coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. However, to ensure the security of the contract, the Blaize.Security team suggests that the EverDues team launch a bug bounty program to encourage further active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
Finally, we have provided the EverDues team with the smart contracts security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the EverDues team.
DISCOVER MORE ABOUT THE BLAIZE SECURITY SERVICES TO SUCCESSFULLY LAUNCH A HIGH SECURE DEFI PROJECT
The audit discovered one critical, one high, and several low and lowest issues. The critical issue was found in the access control contract, MultiOwnable. The issue occurred because the default admin role of AccessControl.sol was neither granted nor changed to another owner role in the constructor. The EverDues team has successfully fixed this issue by granting a default admin role to the deployer of the contracts.
The high issue was connected to the possibility for users to avoid the first payment of the subscription. The issue occurred because the ID of the subscription was generated off-chain without validating the input parameters. The EverDues team has also successfully fixed this issue by generating the subscription id on-chain based on input parameters.
Other issues were connected to the lack of validations, usage of custom errors, visibility of variables, and the validation of business logic. The EverDues team has successfully fixed or verified all of the issues.
The overall security of the protocol is high-enough. Contracts are well-written, contain sufficient Natspec, and have additional documentation. The Blaize Security team carefully checked the flow of subscriptions with additional tests. Once the EverDues team has applied all the fixes, the smart contracts have passed all the security tests.
From all aspects, EverDues protocol has passed the security audit and can be evaluated as Highly Secure, 10 out of 10!
See the complete list of found vulnerabilities and recommendations about their improvements in this document:Everdues-audit-report-1