SMART CONTRACT SECURITY AUDIT FOR GEROBI
The Gerobi protocols and Gerobi DAO on the AURORA chain, form a decentralized organization that builds financial infrastructure for WEB3. Users can use our protocols to maximize capital efficiency and manage their funds in DeFi to earn high yields.
ABOUT THE PROJECT
Gerobi ensures that users can put their capital to work today, and to build products that help millions of others do the same tomorrow. At the same time, any project, dealing with clients’ investments must be exceptionally secure. This was one of the most important points of Gerobi cooperating with Blaize.
The scope of the project includes Gerobi set of contracts:
Code was delivered as a contract deployed on Aurora testnet. Audited contracts represent ERC20 token with standard OpenZeppelin implementation. The contract also inherits ERC20Permit contract.
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the Gerobi protocol with the following parameters:
- Whether the token contract is secure;
- Whether the token implements ERC20 standard correctly;
- Whether the code does not contain malicious functionality hidden.
We have scanned both sets of smart contracts for commonly known and more specific vulnerabilities:
- Unsafe types conversion and unsafe math;
- Timestamp Dependence;
- Correct roles distribution and access control flow;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- DoS attacks with (Gas Limit, unexpected reverts, storage abuse, etc.);
- Byte array vulnerabilities;
- Style guide violation;
- ERC20 standard correspondence and correct tokens usage;
- Uninitialized state/storage/ local variables;
Also, the Gerobi protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review and decomposition of the system;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
At Blaize we have dealt with DeFi projects audit multiple times. Read more about our last case with PeakDeFi smart contract security audit.
AUTOMATED TOOLS ANALYSIS
The Blaize.Security team carried on a scanning of Gerobi contracts by several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. Manual verification of all the issues found with tools.
MANUAL CODE REVIEW
The Blaize.Security team made a manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
The scope of the audit includes the unit test coverage, which is based on the smart contract code, documentation and requirements presented by the Gerobi team. The coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. However, to ensure the security of the contract, the Blaize.Security team suggests that the Gerobi team launch a bug bounty program to encourage further active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
Finally, we have provided the Gerobi team with the smart contracts security analysis report. Besides, the report contains the confirmation of fixes and necessary explanations from the Gerobi team.
DISCOVER MORE ABOUT THE BLAIZE.SECURITY SERVICES TO SUCCESSFULLY LAUNCH A HIGH SECURE DEFI PROJECT
Blaize auditors verified compatibility with the ERC20 standard, and found out that the token inherits standard OpenZeppelin contracts (most of the standard contracts from 4.8.0 version). Our auditors also prepared a set of tests to check the standard functionality (transfer, approve, balances, permit) and correct token parameters.
The project’s native token will have the ticker “Gerobi Token” / “GRB” with the initial supply minted just once during the construction and transferred to the recipient chosen by the deployer.
During the audit, Blaize detected only one informational issue with the solc version used for contracts: the contract uses not the latest solc version.
Therefore, according to our requirements and rules, the overall security of the smart-contracts system of Gerobi protocol can be evaluated as Highly Secure, 10 out of 10!
Please see the complete list of found vulnerabilities and recommendations on their improvements in the audit report:Gerobi-audit-report