Smart Contract Security Audit for Jibrel
Jibrel is an open-source web3 development company. Jibrel provides tokenized financial assets on the Ethereum blockchain. This list includes such equities as currencies, bounds, and commodities of different kinds.
About the project
Blaize was involved in a smart contract security audit of one of Jibrel’s upcoming projects Tranche.finance. Tranche is a decentralized finance protocol that allows users to create different risk profiles from DeFi cash-flow. Users can borrow or lend funds, as well as use the loan smart contracts to create new assets with different pay-out schedules.
The smart contract audit along with code review was needed to ensure the secure work of Tranche protocol after its launch on mainnet in 1Q of 2021.
The main task was to conduct a smart contract security audit and code review supported by Blaize engineers technical expertise. We have to provide two separate documents:
– the first document was concentrated on the recommendations for improving the code architecture and project structure due to our technical expertise in smart contracts development approaches;
– the second document represents the security audit report listing Tranche contract vulnerabilities and bugs according to the automated and manual testing results.
The technical task requires analysis with automatic tools together with a manual code review of the whole smart contracts’ set. In addition, we had to arrange a list of the main possible attacks and vulnerabilities the contract may suffer according to the project’s purposes.
The list of smart contract vulnerabilities that have been taken into account during the Jibrel code audit (the review includes them, but not limited to those):
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/local variables;
- Compile version not fixed.
The Blaize team of auditors always checks for novel types and variations of attacks additionally, in order to ensure that our client’s contracts are protected from all possible vulnerabilities. The whole list of possible attacks can be found in SWC Registry.
Smart contract security audit procedure
Blaize has an established security audit procedure. It includes following steps:
- Check the consistency whether the contract corresponds to the documentation
- Checks against the standard list of vulnerabilities we have mentioned above;
- Static analysis by automated tools;
- Manual code and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Security analysis report delivery
- Post-audit fixes review
At the beginning of every audit, we evaluate the consistency between the contracts’ work and claimed functionality in the project whitepaper and supported docs. We also evaluate the contracts’ business logic and propose the scope of work for security testing.
We conduct two levels of security testing for the Tranche protocol: firstly we prepare an automated analysis with the following manual code review made by our blockchain smart contract auditors.
Automated code analysis implies using different open-source software for bug detection. In the case of Jibrel smart contract audit, we used Mythril, Solhint, Slither, and Smartdec. We often conduct several testing processes in parallel to ensure the best bug verification.
Automate testing helped to define which part is responsible for each input execution and showed the possible places for bugs occuring. The automated analysis was followed by the manual testing of all issues found by tools.
The manual code analysis implies a thorough examination of each code line by an auditor. Manual testing is needed to analyze the previously found vulnerabilities and check and operational work of smart contracts in general.
Manual code examination is highly recommended for an exploratory check of vulnerabilities hidden not in a code itself, but in contract logic or architecture. This type of verification is based on auditor expertise and experience with complex smart contracts’ systems.
Gas usage analysis
The full Tranche smart contracts’ set was audited. The auditors’ team came to the conclusion that as of now there is no need for additional code changes to further optimize the code.
Unit Test Coverage
During smart contract security audits, we have taken into account the Tranche contracts’ unit tests and have provided an analysis of them.
The auditors’ team concluded that test implementation is performed in a non-standard approach and does not allow to perform a classic automatic checking of it. That is why we needed to perform the manual unit tests’ coverage review.
After this examination we can claim that the contracts’ unit test coverage is sufficient and can be successfully run.
After finishing all tests and making changes by the client’s team of developers we create a final contract security evaluation.
The estimation is performed according to the previously established issues ranking described as follows:
|A system contains several issues ranked as very serious and dangerous for users and the secure work of the system. Needs immediate improvements and further checking.
|A system contains a couple of serious issues, which lead to unreliable work of the system and might cause a huge information or financial leak. Needs immediate improvements and further checking.
|A system contains issues which may lead to medium financial loss or users’ private information leak. Needs immediate improvements and further checking.
|A system contains several risks ranked as relatively small with the low impact on the users’ information and financial security. Needs improvements.
|A system does not contain any issue critical to the secure work of the system, yet is relevant for best software defensive practices implementations.
Security analysis report
In the end, we have provided Jibrel with two reports: smart contracts’ audit and technical expertise. The documents contain all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.
Post-audit fixes review
The report contained all necessary information related to the found vulnerabilities and provided the client with a thorough guideline for their elimination. The client performed all needed improvements and fixed the full list of vulnerabilities according to the auditor’s recommendations.
We have scanned this project for common development practices. Here are some reviews we conducted (the full list includes them but is not limited to):
- General code review
- Developer tools usage review
- Test coverage review
- Storage variables usage analysis
- Dependency review
- Gas cost analysis
As a result, no critical issues were found. But the team has found some high-level and medium-level issues during the analysis as well as some obfuscations in unit tests coverage.
See the full list of found vulnerabilities and recommendations about their improvements in those documents:
After receiving the report the client conducted all needed fixes. Though, issues of all risk levels were resolved or mitigated.
Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Tranche.finance can be evaluated as Highly Secure, 95 out of 100.
Blaize’s team of auditors is continuing to cooperate and guard the security of Tranche protocol. See Tranche Compound Protocol and Tranche Staking protocol audits transcripts below.