Introduction
CoinFabrik was asked to audit the contracts for the Geodefi project. First we will provide a summary of our discoveries, and then we will show the details of our findings.
Scope
The audited files are from the git repository located at https://github.com/Geodefi/Portal-Avax.git. The audit is based on the commit 895e79900b757f0f29edc105eb0c9bb8be1dde1c
.
Fixes were checked on commit 8f0397777b86812e9528483e21e8091334a9d4f8
.
The audited files are:
- contracts/Portal/gAVAX.sol: gAVAX token implementation.
- contracts/Portal/helpers/ERC1155SupplyMinterPauser.sol: Base contract for ERC1155. Most of the code has been taken from the OpenZeppelin library. See Modified OpenZeppelin ERC1155 Support in Other Considerations for details.
- contracts/Portal/Portal.sol: It contains the Portal contract, which is a decentralized Minter that builds a trustless staking Ecosystem for any service provider.
- contracts/Portal/utils/StakeUtilsLib.sol: It contains the logic for staking gAVAX tokens.
- contracts/Portal/utils/GeodeUtilsLib.sol: It contains functions responsible for administration of Geode Portal, including functions related to “limited upgradability” with Senate & proposals.
- contracts/Portal/utils/DataStoreLib.sol: Storage management tool designed to create a safe and scalable storage layout with the help of ids and keys.
The scope of the audit is limited to those files. No other files in this repository were audited. Its dependencies are assumed to work according to their documentation. In particular, it must be noted that the contracts/WithdrawalPool/LPToken.sol
file was audited in the Geodefi’s audit made in May 2022 by us.
Also, no tests were reviewed for this audit.
Analyses
Without being limited to them, the audit process included the following analyses:
- Arithmetic errors
- Outdated version of Solidity compiler
- Race conditions
- Reentrancy attacks
- Misuse of block timestamps
- Denial of service attacks
- Excessive gas usage
- Missing or misused function qualifiers
- Needlessly complex code and contract interactions
- Poor or nonexistent error handling
- Insufficient validation of the input parameters
- Incorrect handling of cryptographic signatures
- Centralization and upgradeability
Summary of Findings
We found no critical or medium issues. Several minor issues were found. Also, several enhancements were proposed.
Two minor issues were resolved, three minor issues were acknowledged and one minor issue was retracted as we found it was not an issue in the first place.
Security Issues
ID | Title | Severity | Status |
---|---|---|---|
MI-01 | The Senate May Approve a Proposal Multiple Times | Minor | Resolved |
MI-02 | Phantom Overflows When Multiply and Divide | Minor | Acknowledged |
MI-03 | Missing Zero Check | Minor | Resolved |
MI-04 | Retracted | Minor | Retracted |
MI-05 | Excessive Capability For Withdrawal Pool | Minor | Acknowledged |
MI-06 | Excessive Trust in Withdrawal Pool | Minor | Acknowledged |
Security Issues Found
Severity Classification
Security risks are classified as follows:
- Critical: These are issues that we manage to exploit. They compromise the system seriously. They must be fixed immediately.
- Medium: These are potentially exploitable issues. Even though we did not manage to exploit them or their impact is not clear, they might represent a security risk in the near future. We suggest fixing them as soon as possible.
- Minor: These issues represent problems that are relatively small or difficult to take advantage of, but can be exploited in combination with other issues. These kinds of issues do not block deployments in production environments. They should be taken into account and be fixed when possible.
Issues Status
An issue detected by this audit can have four distinct statuses:
- Unresolved: The issue has not been resolved.
- Acknowledged: The issue remains in the code, but is a result of an intentional decision.
- Resolved: Adjusted program implementation to eliminate the risk.
- Partially resolved: Adjusted program implementation to eliminate part of the risk. The other part remains in the code, but is a result of an intentional decision.
- Mitigated: Implemented actions to minimize the impact or likelihood of the risk.
- Retracted: After further analysis, we found that the issue originally reported was not an actual issue.
Critical Severity Issues
No issues found.
Medium Severity Issues
No issues found.
Minor Severity Issues
MI-01 The Senate May Approve a Proposal Multiple Times
Location:
contracts/Portal/utils/GeodeUtilsLib.sol:256-285
The senate may approve several times a proposal in the same block if Portal.approveProposal() is invoked in different transactions of the same block. This may lead to inconsistencies such as orphan withdrawal pools.
The problem is that the deadline of the proposal is checked in line 261
require( self._proposalForId[id].deadline >= block.timestamp, "GeodeUtils: proposal expired" );
And the deadline is set in line 281 as the current timestamp
self._proposalForId[id].deadline = block.timestamp;
So the check would pass again if run in the same block.
Recommendation
Check that the proposal deadline is strictly bigger than the current timestamp (>).
Status
Resolved.
MI-02 Phantom Overflows When Multiply and Divide
Location:
contracts/Portal/utils/StakeUtilsLib.sol: 306,352,362
When multiplying and dividing 3 256-bit numbers (a*b/c), the intermediate result of multiplying a*b may exceed 256 bits even if the final result is under 256bits. This will trigger an overflow, reverting the transaction.
Recommendation
In order to avoid the unwanted overflow, implement the multiply and divide operation to handle bigger numbers after the multiplication. If multiplying 256bit numbers, it should handle 512-bit results.
Status
Acknowledged. The development team says that “Because the parameters are limited with small numbers, such as periodsSinceUpdate can only be 1-2-… , we think solving this issue is unnecessary and increases code complexity.”
MI-03 Missing Zero Check
Location:
contracts/Portal/Portal.sol: 473
The Portal.setDefaultInterface() function lacks a zero check for the address of the _newDefault interface, but this check is implemented in the Portal.initialize() function (see line 121 of contracts/Portal/Portal.sol).
Recommendation
Add the zero check.
Status
Resolved according to the recommendation.
MI-04 Retracted
Retracted. After further analysis, we found that the MI-04 issue originally reported was not an actual issue.
MI-05 Excessive Capability For Withdrawal Pool
Location:
contracts/Portal/utils/StakeUtilsLib.sol:772
The planet’s withdrawal pool is given the power to operate on behalf of the Portal contract in the gAVAX contract for all the ids in line 772 of contracts/Portal/utils/StakeUtilsLib.sol, even though it needs to operate only in tokens associated with the withdrawal pool’s id:
getgAVAX(self).setApprovalForAll(WithdrawalPool, true);
Recommendation
Add a function in gAVAX to approve a single id and use that to give the capability to the WithdrawalPool.
Status
Acknowledged.
MI-06 Excessive Trust in Withdrawal Pool
Location:
contracts/Portal/utils/StakeUtilsLib.sol: 226-232
While doing a buyback, the library calls the swap() function of the corresponding withdrawal pool and, instead of measuring the obtained amount of gAVAX it trusts the value provided by the withdrawal pool, which may or may not be the actual amount obtained. An incorrect amount may lead to burning or transferring an incorrect amount of gAVAX.
Recommendation
Instead of trusting that the amount of gAVAX reported is correct, ask for the balance before and after doing the swap and check the minimum amount obtained after that.
Status
Acknowledged. According to the development team: “Since Withdrawal Pool contract is not upgradable, we believe it is okay to trust“.
Enhancements
These items do not represent a security risk. They are best practices that we suggest implementing.
Table
ID | Title | Status |
---|---|---|
EN-01 | gAVAX Contract Roles Simplification | Not implemented |
EN-02 | Proposal Mechanism Improvements | Not implemented |
EN-03 | Governance-Change Mechanism | Not implemented |
EN-04 | Gas Optimization Accessing Datastore | Implemented |
Details
EN-01 gAVAX Contract Roles Simplification
Location:
contracts/Portal/gAVAX.sol
contracts/Portal/helpers/ERC1155SupplyMinterPauser.sol
As described in lines 135-136 of contracts/Portal/gAVAX.sol, the oracle, pauser and minter roles are intended to be given to a single address, the Portal address. So there is no need to separate those roles nor have support for this role to be had by several addresses simultaneously.
Recommendation
So we recommend to not use AccessControl-type roles, and instead to derive from OpenZepellin’s Ownable contract, giving the owner all the privileges of those roles. This would significantly simplify the gAVAX contract reducing the attack surface.
Status
Not implemented.
EN-02 Proposal Mechanism Improvements
Location:
contracts/Portal/Portal.sol
contracts/Portal/utils/GeodeUtilsLib.sol
The approval proposal mechanism in the Portal contract has some drawbacks. In particular we found that:
- There are no mechanisms to withdraw a proposal before expiration if not approved.
- There are no mechanisms to remove planets or operators. If for any reason a misbehaved planet or operator must be removed, an emergency code upgrade will be required.
- As mentioned in the Actions on Proposal Approval subsection of the Other Considerations section, proposals with unknown types will be registered as approved but no other action will be taken.
Recommendation
In order to solve these problems we recommend to:
- Add a mechanism for the governance to withdraw proposals that were not approved yet.
- Add additional proposal types to remove operators and planets (or some other similar mechanism).
- Do not allow unknown proposal types to be proposed (and approved).
- Do not allow ids already taken as planets or operators to be used in proposals for new planets and operators.
Status
Not implemented.
EN-03 Governance-Change Mechanism
Location:
contracts/Portal/Portal.sol
In the Portal contract the governance cannot be changed without a code update.
Recommendation
Add a mechanism to change the governance to a new address. Take into account that:
- All the withdrawal-pools ownerships should be transferred to the new governance (see line 672 of Portal.sol) or the ownership should be set to the Portal contract itself and the governance should interact with the Portal contract in order to exercise the ownership of the withdrawal pool.
- Given the risk of a bogus address set as the governance. The new address should accept the role before the old address relinquishes this capability.
- We don’t have an opinion regarding whether the change of governance should be senate approved or not.
Status
Not implemented.
EN-04 Gas Optimization Accessing Datastore
Location:
contracts/Portal/utils/StakeUtilsLib.sol: 515,521,522,525,526
contracts/Portal/Portal.sol: 774,775,778,779
When reading from the Datastore, if the same value has to be used several times in the same function it is cheaper to store the value in a local variable and use that value.
For example see the repetition when fetching unclaimedFees in lines 520-526 of contracts/Portal/utils/StakeUtilsLib.sol (repetition underlined).
if ( _DATASTORE.readUintForId(_poolId, "unclaimedFees") > _DATASTORE.readUintForId(_poolId, "surplus") ) { // the difference between unclaimedFees and the surplus is the debt for the fees. uint256 debtInFees = _DATASTORE.readUintForId(_poolId, "unclaimedFees") - _DATASTORE.readUintForId(_poolId, "surplus");
Recommendation
Look for functions that use the same value stored in a function and refactor them to put the value in a local variable and use that in the rest of the function.
Status
Implemented.
Other Considerations
The considerations stated in this section are not right or wrong. We do not suggest any action to fix them. But we consider that they may be of interest for other stakeholders of the project, including users of the audited contracts, owners or project investors.
Centralization
In both gAVAX and Portal contracts, efforts were made to make them less centralized.
gAVAX
In the gAVAX contract it must be noted that the minter role is very powerful, as it can gain the oracle and pauser role. It also can mint new tokens for any address (and any id) and set the interface for any id.
The interface for a given id may burn tokens of that id for any account, via the burn() function. This makes the minter addresses capable of minting and burning tokens for any id.
It must also be noted that a default admin can grant or revoke the minter, pauser, oracle and default admin role and by default this role is given to the deployer of the contract.
Portal
In the Portal contract it must be noted that initially both the governance role and the senate role are taken by the _GOVERNANCE
address passed via the initialize()
function, effectively making the contract centralized in practice before a different senate is set via the proposal mechanism given that the upgrade mechanism can deploy arbitrary contract code and is proposed by the governance and approved by the senate.
It must also be noted that the governance cannot be changed to any other address and will by the owner of all the withdrawal pools handled by the Portal (see lines 671-672 of contract/Portal/Portal.sol
, function approveProposal()
).
address WithdrawalPool = STAKEPOOL.deployWithdrawalPool(DATASTORE, _id); Ownable(WithdrawalPool).transferOwnership(GEODE.GOVERNANCE);
Upgrades
gAVAX
The gAVAX contract has no mechanism for upgrading it.
Portal
In order to upgrade the Portal contract, the following procedure must be followed:
- The governance must make an upgrade proposal via the
newProposal()
function. The new implementation must be passed in the_CONTROLLER
parameter. - The senate then must approve the proposal via the
approveProposal()
function. - After that
upgradeTo()
can be called by anyone, passing the new implementation address. See UUPSUpgradeable documentation in OpenZeppelin for more information.
Modified OpenZeppelin ERC1155 support
The utilities in the OpenZeppelin/contracts library for support of the ERC1155 standard were changed to support the development of the gAVAX token. The modified libraries reside in the contracts/Portal/helpers/ERC1155SupplyMinterPauser.sol file. The code was taken from the OpenZeppelin git repository at https://github.com/OpenZeppelin/openzeppelin-contracts/ and based on commit cb3f2ab900e39c5ab6e0de6663edf06f573b834f. The following changes were made:
- The
_doSafeTransferAcceptanceCheck()
method of the ERC1155 contract visibility was changed from private to internal in order to allow it to be overridden in child contracts. - The
ERC1155PresetMinterPauser
was renamed as ERC1155SupplyMinterPauser. - The
ERC1155SupplyMinterPauser
gained a new base contract, ERC1155Supply. - The
ERC1155SupplyMinterPauser._beforeTokenTransfer()
function was marked as overriding theERC1155Supply._beforeTokenTransfer()
aswell.
It must be noted that the _doSafeTransferAcceptanceCheck()
function is overridden in the gAVAX contract, allowing the interface of the token id to transfer (or mint) tokens to contracts that do not implement the IERC1155Receiver interface. This functionality is not available for batch transfers (or batch mints).
Unavailable Operations When Portal is Paused
The governance can pause the Portal contract. While paused, the following operations cannot be made:
- Change the controller associated with an id via the
changeIdCONTROLLER()
function. - Change the maintainer associated with an id via the
changeIdMaintainer()
function. - Set the default interface via the
setDefaultInterface()
function. - Active and deactivate the operator associated with an id via the
activateOperator()
anddeactivateOperator()
functions. - Set the interface associated with a planet via the
setPlanetInterface() function
. - Set the PBank associated with an operator and a planet via the
setPBank()
function. - Obtain the PBank associated with an operator and a planet via the
getPBank()
function. - Add new proposals via the
newProposal()
function. - Approve proposals via the
approveProposal()
function. - Approve a new senate via the
approveSenate()
function. - Set new prices and increase balances for operators via the
reportOracle()
function. - Pay debt associated with a staking pool via the
payDebt()
function. - Claim a surplus associated with a staking pool via the
claimSurplus()
function. - Claim fees associated with a planet via the
claimFee()
function.
Actions on Proposal Approval
In the Portal contract, unless the proposal is a senate proposal, when a proposal is approved by the senate via the approveProposal()
function, the controller in the proposal is set as the controller for the id of the proposal. After that, other actions are made based on the type of the proposal. Hereunder is a list of proposal types and actions:
- Type 2 (upgrade): The controller associated with the proposal is approved for upgrade.
- Type 4 (operator): The controller in the proposal is set as “maintainer” for the proposal id.
- Type 5 (planet): Several actions are made:
- The controller in the proposal is set as “maintainer” for the proposal id.
- A new interface is cloned from the
DEFAULT_INTERFACE
and associated with the proposal id - A new withdrawal pool is deployed, associated with the proposal id and its ownership is transferred to the governance.
- Other types: No extra actions.
New senate proposals (type 1) have a different workflow. When 2/3 of the planets vote for a new senate via the approveSenate()
function, the controller of the new senate proposal will be instituted as the new senate.
Oracle Interactions and Price Setting in Portal
In the Portal contract, the oracle informs increases in the balance for each operator. When this happens the logic located in the reportOracle()
function defined in the contracts/Portal/utils/StakeUtilsLib.sol
file is executed, calculating a new price.
In particular, the new price needs to pass the checks in the _sanityCheck()
function defined in the same file. Here it checks that the price is monotonically ascending and that it does not grow too fast. If any of the checks fail then the transaction informing the new balances for each operator for the given _poolId
fails. If for any reason those balances must be set in a way that voids this test, the only possible actions are to either upgrade the Portal code to change these limitations or report a different balance increase for the operators.
After the price is calculated it is informed to the gAVAX contract via the setPricePerShare()
function.
gAVAX-Portal Interaction
According to the documentation in lines 135-156 of contracts/Portal/gAVAX.sol
, the Portal contract has the minter, pauser and oracle roles for the gAVAX contract.
On the Portal contract side, we assume that the address passed in the _gAVAX
parameter points to a gAVAX contract. That’s why we assume that the contract is trusted.
Privileged Roles
These are the privileged roles that we identified on each of the audited contracts.
gAVAX
Approved Operator
An approved operator may burn or transfer away tokens for any id corresponding to the account that approved the operator.
Approved operators may be added or removed via the setApprovalForAll()
function.
Minter
An address with the minter role can:
- mint tokens for any id and add them on any account.
- set the interface for each id.
- acquire the pauser and oracle role via the
updateMinterPauserOracle()
function. - give any other address the minter, pauser, and oracle roles while renouncing these roles via the
updateMinterPauserOracle()
function.
This role is handled using the OpenZeppelin’s AccessControl base contract. The initial minter is the deployer of the contract (the constructor msgSender()
).
The development team informed us that this role is given to the Portal contract after deployment.
Pauser
An address with the pauser role can pause and unpause the gAVAX contract. While the contract is paused all mint, burn and transfer operations will be reverted, but the rest of the functionality will still work. For example, the oracle will be able to set a new price.
This role is handled using the OpenZeppelin’s AccessControl base contract. The initial pauser is the deployer of the contract (the constructor msgSender()
).
The development team informed us that this role is given to the Portal contract after deployment.
Oracle
An oracle may set the price per share for any id.
This role is handled using the OpenZeppelin’s AccessControl base contract. The initial oracle is the deployer of the contract (the constructor msgSender()
).
The development team informed us that this role is given to the Portal contract after deployment.
Interface
The interface for an id may transfer away or burn tokens of any account for this id, via the safeTransferFrom() and burn() functions. It may even transfer tokens to a contract that does not implement the onERC1155Received()
function or to a contract that would reject the transfer via the same function, not respecting the specification of ERC1155.
The interface-id association may be set and unset by a minter via the setInterface()
function.
Default admin
All AccessControl derived contracts have a default admin role that can add and remove addresses to any role if another admin is not set for that role via the grantRole()
function. The initial default admin is the deployer of the contract (the constructor msgSender()
). Given that no admin roles are set in the code, this address can grant and remove the minter, pauser, oracle and default admin roles to any address.
Portal
Governance
The governance can:
- Pause and resume (unpause) the Portal via the
pause()
andunpause()
functions. See Unavailable Operations When Portal is Paused in the Other Considerations section for details. - Set the operation fee via the
setOperationFee()
function. - Set the maximum maintainer fee via the
setMaxMaintainerFee()
function. - Set the default interface via the
setDefaultInterface()
function. - Make new proposals via the
newProposal()
function.
The address of the governance is passed as a parameter in the initialize()
function, and cannot be changed without updating the code of the Portal contract.
Oracle
The oracle can:
- Increase balances for operators via the reportOracle() function for any of the liquidity pools if the block.timestamp is in the oracle-active time window. This increase will change the price of the asset according to the calculations in the
reportOracle()
function defined in thecontracts/Portal/utils/StakeUtilsLib.sol
file at line 381.
Senate
The senate can:
- set the maximum operation fee via the
setMaxOperationFee()
function. - approve all proposals except for type 1 (new senate). See Actions on Proposal Approval in the Other Considerations section for details.
The initial senate is set with the same address as the governance in the initialize()
function. The senate can work for up to 730 days after the initialization of the contract for the first senate and approval of the new senate for the next ones, as the senate can be changed with a proposal at any time. The governance can propose a new senate, which will be set if 2/3 of the voters chose to approve it.
Maintainer
The maintainer associated with a given id can:
- set and unset the interface associated with the id via the
setPlanetInterface()
function. - set the PBank associated with the operator and a planet via the
setPBank()
function. - set the maintainer fee associated with the id via the
setMaintainerFee()
function. - activate and deactivate an operator for the given id via the
activateOperator()
and deactivateOperator() functions. - pay the debt of the staking pool associated with a pool via the
payDebt()
function. - claim the surplus of the staking pool associated with a pool via the
claimSurplus()
function. - pause and unpause staking on the pool associated with the given id via the
pauseStakingForPool()
andunpauseStakingForPool()
functions.
The maintainer associated with an id is set when the proposal for an operator (type 4) or a planet (type 5) is approved. The initial address is set to the controller of the id. The controller of the address can set a new maintainer using the changeIdMaintainer()
function.
Controller
The controller associated with a given id can:
- set a new controller for the given id via the
changeIdCONTROLLER()
function.- May set an invalid address, making the id effectively have no controller.
- set a new maintainer for the given id via the
changeIdMaintainer()
function.- May set an invalid address, making the id effectively have no maintainer.
- vote to approve a new senate.
- One vote per id will be counted.
- Valid votes are for ids that correspond to a planet.
- A new senate will be set if 2/3 of the possible voters choose to approve the new senate.
The controller associated with an id is set when a non-senate proposal is approved.
Changelog
- 2022-08-05 – Initial report based on commit
895e79900b757f0f29edc105eb0c9bb8be1dde1c
. - 2022-08-23 – Fixes checked on commit
8f0397777b86812e9528483e21e8091334a9d4f8
. - 2022-08-23 – Minor changes in the Other Considerations and Privileged roles sections, based on feedback from the development team.