SMART CONTRACT SECURITY AUDITS FOR STARKDEFI
In the rapidly evolving landscape of blockchain technology and decentralized finance, ensuring the security and integrity of smart contracts has become paramount. StarkDeFi, with its forward-thinking vision in the DeFi space, recognized this imperative and approached Blaize – an industry-leading expert in blockchain solutions and security audits.
StarkDeFi, appreciating the gravity of this responsibility, teamed up with Blaize – renowned experts in smart contract auditing – to meticulously scrutinize their underlying systems and ensure not only their functionality but also their invulnerability against potential breaches.
ABOUT THE PROJECT
StarkDeFi, an advanced project operating on the cutting-edge Starknet network, is no ordinary DeFi solution. Crafted with the Cairo programming language, a choice reflecting both versatility and sophistication, StarkDefi creates a new era in decentralized exchange platforms. Central to its innovative design is a DEX outfitted with an AMM algorithm. This unique combination is engineered to optimize liquidity transactions, offering users unparalleled efficiency and security in their financial dealings.
StarkDeFi is not just another DeFi initiative; it embodies a synthesis of advanced programming, strategic foresight, and a deep understanding of current DeFi challenges and opportunities. To meet the high expectations and requirements of an advanced web3 project, we assisted the StarkDeFi team in auditing their smart contracts within 2 iterations.
Read also how Blaize succeeded in a smart contract security audit preparation for a DeFi project CoinSender.
During our audit, we scrutinized the codebase for various vulnerabilities in several stages:
1) Standard vulnerabilities checklists, including but not limited to:
- L1-L2 Addresses Conversion
- Transaction-ordering dependence
- Validation of input data
- Vulnerability for Denial-of-Service (DoS) attacks
- Slippage and Flashloans/Big liquidity vulnerabilities
- Storage issues (uninitialized, unused, etc) and incorrect local variables usage
- Upgradeability issues
- Correct calculations and precision
and other potential Cairo vulnerabilities and attack vectors;
2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections and other flow-related issues;
3) Review of dependencies, integrations and 3rd parties, verified with appropriate integration tests;
4) Our own internal security checklists, additionally verified during the testing stage.
The team had the main focus on:
- Verification of the correctness of AMM K-invariant and correctness of reserves changes;
- Verification of fee calculation and distribution;
- Checking the flow of volatile or stable pair creation, adding/removing liquidity, and exchanging tokens, including ensuring common DEX protection measures such as slippage protection and deadline of any action such as exchange of tokens;
- Checking the upgradeability flow;
- Analysis of smart contracts against the list of common Cairo vulnerabilities, including access control protection measures;
- A comprehensive unit testing of smart contracts, including edge-case scenarios for invariant, slippage protection, different amounts of tokens, and flashloan attacks.
SECURITY AUDIT PROCEDURE
Our audit processes encompassed manual and testing stages:
- MANUAL AUDIT STAGE
- Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
- Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
- Business logic inspection;
- Protocol decomposition and components analysis with building an interaction schemes and sequence diagrams;
- Storage usage review and gas optimization review;
- Math operations and calculations analysis;
- Access control and roles structure review;
- Review of dependencies, 3rd parties, and integrations;
- Review with automated tools and static analysis;
- Code quality, documentation, and consistency review.
- TESTING STAGE
Development of edge cases based on manual stage results for false positives validation;
- Development of edge cases based on manual stage results;
- False positives validation;
- Integration tests for checking connections with 3rd parties;
- Manual exploratory tests over the locally deployed protocol;
- Checking the existing set of tests and performing additional unit testing;
Upon completion of the audit, we delivered a comprehensive security audit report to the StarkDeFi team. This report included:
- Identified risks
- Potential mitigations
- Detailed vulnerability assessments
- Recommendations for improvements
STILL HAVE DOUBTS ACCORDING SECURITY AUDIT NECESSITY? DISCOVER MORE ABOUT IT ON OUR WEBSITE.
Upon rigorous examination, Blaize’s security team provided a thorough assessment of StarkDeFi’s smart contracts. The 1st iteration findings revealed no critical issues, with all detected matters being informational, including aspects like documentation and contract logic compatibility with the latest tools.
During the second iteration, following StarkDeFi’s protocol upgrades, critical issues pertaining to invalid invariant k calculation and token swap path array handling emerged. These, along with a high-risk fee collection issue post-liquidity withdrawal, were promptly addressed. A significant observation was the increased security risks accompanying the contracts’ upgrade to “upgradeable” status. This was flagged for its potential risk of centralization and possible threats to stored funds due to access discrepancies to the admin account. Though, based on consultation with the StarkDeFi team, auditors verified that the protocol has taken into consideration potential threats and has the mitigation strategy. Therefore, caution was placed instead of an issue.
The Blaize team advised StarkDeFi to implement post-audit measures, such as the deployment of the active protection/monitoring service and initiating a bug bounty program, to bolster security. StarkDeFi’s overall audit security score stands at an impressive 9.75 out of 10, highlighting the substantial safety and efficacy of the smart contracts in place.
Take a closer look at StarkDeFi security report on Blaize.Security Github.