Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: June 24th, 2024 - July 5th, 2024
100% of all REPORTED Findings have been addressed
All findings
11
Critical
4
High
0
Medium
1
Low
1
Informational
5
Bonzo engaged our security analysis team to conduct a comprehensive security audit of their smart contract ecosystem. The primary aim was to meticulously assess the security architecture of the smart contracts to pinpoint vulnerabilities, evaluate existing security protocols, and offer actionable insights to bolster security and operational efficacy of their smart contract framework. Our assessment was strictly confined to the smart contracts provided, ensuring a focused and exhaustive analysis of their security features.
Our engagement with Bonzo spanned a 1.5-week period, during which we dedicated one full-time security engineer equipped with extensive experience in blockchain security, advanced penetration testing capabilities, and profound knowledge of various blockchain protocols. The objectives of this assessment were to:
- Verify the correct functionality of smart contract operations.
- Identify potential security vulnerabilities within the smart contracts.
- Provide recommendations to enhance the security and efficiency of the smart contracts.
Our testing strategy employed a blend of manual and automated techniques to ensure a thorough evaluation. While manual testing was pivotal for uncovering logical and implementation flaws, automated testing offered broad code coverage and rapid identification of common vulnerabilities. The testing process included:
- A detailed examination of the smart contracts' architecture and intended functionality.
- Comprehensive manual code reviews and walkthroughs.
- Functional and connectivity analysis utilizing tools like Solgraph.
- Customized script-based manual testing and testnet deployment using Foundry.
This executive summary encapsulates the pivotal findings and recommendations from our security assessment of Bonzo's smart contract ecosystem. By addressing the identified issues and implementing the recommended fixes, Bonzo can significantly boost the security, reliability, and trustworthiness of its smart contract platform.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
4
High
0
Medium
1
Low
1
Informational
5
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Incorrect asset handling during withdraw | Critical | Solved - 07/22/2024 |
| Incorrect asset handling during executeBorrow | Critical | Solved - 07/22/2024 |
| Stable Rate Mode Critical Bug | Critical | Solved - 07/23/2024 |
| Price Inflation in AToken | Critical | Solved - 07/22/2024 |
| Unsafe Modification of Decimals in LendingPoolConfigurator | Medium | Solved - 07/22/2024 |
| Lack of Two-step Ownership Transfer and Unsafe renounceOwnership | Low | Solved - 07/22/2024 |
| Suboptimal Handling of WHBAR Variables and Deployment | Informational | Acknowledged |
| Duplicate HederaTokenService Contracts | Informational | Solved - 07/22/2024 |
| Inconsistent return handling in redirectForToken | Informational | Solved - 07/22/2024 |
| Suboptimal Contract Design for getDecimals | Informational | Solved - 07/22/2024 |
| Suboptimal Token Association and Transfer Mechanism in AToken | Informational | Acknowledged |
//Critical
//Critical
//Critical
//Critical
//Medium
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Finance Contracts
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
