- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

1.0.12 BTC-Fi Hardfork - Coredao

Prepared by:

HALBORN

Last Updated Unknown date

Date of Engagement: August 6th, 2024 - September 19th, 2024

Summary

33% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Assessment summary
3. Scope
4. Findings overview

1. Introduction

The CoreDAO team engaged Halborn to conduct a security assessment of their new genesis contract update of the CoreBTC project beginning on August 06th and ending on September 19th. The security assessment was scoped to the smart contracts provided in the GitHub repository. Commit hash and further details can be found in the Scope section of this report.

2. Assessment Summary

Halborn was provided 6 weeks for the engagement and assigned 1 full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

Identify potential security issues within the smart contracts.
Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some risks that should be addressed by the CoreDAO team.

3. SCOPE

REPOSITORY

(a) Repository: core-genesis-contract

(b) Assessed Commit ID: abcc6f9

Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysis	Risk level	Remediation
Unrestricted Access to prepare() Function in contracts	High	Solved - 09/15/2024
Lack of Access Control on moveData Function	Medium	-
Missing Access Control for moveCandidateData Function in PledgeAgent Contract	Medium	-
Missing Re-entrancy Protection in PledgeAgent Contract	Low	Solved - 09/15/2024
Implement Re-entrancy Guard for delegate Function in BitcoinLSTStake Contract	Low	-
Implement Minimum Active Wallet Check in removeWallet Function	Low	-
Unsafe Casting to int256 from uint256	Low	-
Delegations to Zero Address Not Blocked	Low	Solved - 09/15/2024
Remove Redundant prepare() Function in CoreAgent Contract	Informational	-
Incompatibility Risk Due to Incorrect Decimal Places in Bitcoin LST Token	Informational	Solved - 09/15/2024
Incomplete State Update in undelegate Function	Informational	-
Missing Pausable Mechanism in BitcoinLSTStake Contract	Informational	-

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Scope
4. Findings overview

// Download the full report

1.0.12 BTC-Fi Hardfork

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

← Back to Audits