Prepared by:
HALBORN
Last Updated Unknown date
Date of Engagement: September 9th, 2024 - September 20th, 2024
100% of all REPORTED Findings have been addressed
All findings
10
Critical
0
High
1
Medium
0
Low
4
Informational
5
Pepper Team engaged Halborn to conduct a security assessment on their smart contracts beginning on September 9th, 2024, and ending on September 20th, 2024. The security assessments were scoped to the smart contracts provided in the pepper-token GitHub repository. Commit hashes and further details can be found in the Scope section of this report.
Halborn was provided 11 (eleven) days for the engagement, and assigned 1 (one) full-time security engineers to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the smart contracts.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some security issues, that were mostly addressed by the Pepper team. The main security issues were:
Allowing the airdrop contract to mint tokens to the users without reverting.
Input validations for critical setter functions.
Gas saving suggestions.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Minting Limit Calculation May Prevent Legitimate Claims | High | Solved - 09/19/2024 |
| Missing Zero-Value Check in changeEpochLength Function | Low | Solved - 09/19/2024 |
| Insufficient Validation of Claim Start Block | Low | Solved - 09/19/2024 |
| Modification of Claim Start Block After Claiming Begins | Low | Solved - 09/19/2024 |
| Modification of Epoch Length After Claiming Begins | Low | Solved - 09/19/2024 |
| Lack of two-step ownership transfer pattern | Informational | Acknowledged - 09/19/2024 |
| Lack of Null Value Validation | Informational | Solved - 09/19/2024 |
| Suboptimal Gas Usage in removeValidator Function | Informational | Solved - 09/19/2024 |
| Code Duplication in getPendingClaim and claim Functions | Informational | Solved - 09/19/2024 |
| Minor Reward Discrepancy Between calculateRewards and calculateRewards2 | Informational | Acknowledged - 09/26/2024 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Pepper
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
