Smart Contract Assessment - Moonwell

1. INTRODUCTION

Moonwell Finance engaged Halborn to conduct a security audit on their smart contracts beginning on 2022-04-05 and ending on 2022-06-17. The security assessment was scoped to the smart contracts provided to the Halborn team.

2. AUDIT SUMMARY

The team at Halborn was provided a week for the engagement and assigned a full-time security engineer to audit the security of the smart contract. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this audit is to:

• Ensure that smart contract functions operate as intended.

• Identify potential security issues with the smart contracts.

In summary, Halborn identified some security risks that were addressed by the Moonwell Finance team.

3. TEST APPROACH & METHODOLOGY

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the smart contract audit. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of smart contracts and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the audit:

• Research into architecture and purpose.

• Smart Contract manual code review and walkthrough.

• Graphing out functionality and contract logic/connectivity/functions(solgraph)

• Manual Assessment of use and safety for the critical Solidity variables and functions in scope to identify any arithmetic related vulnerability classes.

• Dynamic Analysis (ganache-cli, brownie, hardhat).

4. SCOPE

\begin{enumerate} \item Moonwell Finance Token Sale Contracts \begin{enumerate} \item Repository: \href{https://github.com/moonwell-fi/moonwell-contracts-private/tree/726dcbaef18670d344fa5621c23c4db0e403583a/contracts/tokensale}{Token Sale} \item Commit ID: \href{https://github.com/moonwell-fi/moonwell-contracts-private/tree/726dcbaef18670d344fa5621c23c4db0e403583a/contracts/tokensale}{726dcbaef18670d344fa5621c23c4db0e403583a} \item New PR : \href{ https://github.com/moonwell-fi/moonwell-contracts-private/pull/43 }{PR} \item New Commit : \href{ https://github.com/moonwell-fi/moonwell-contracts-private/tree/9c51e4860c3f768190036ddcc7dbc4ef3d497c1f/contracts/tokensale }{New Commit} \end{enumerate} \item Out-of-Scope \begin{enumerate} \item test/*.sol \end{enumerate} \end{enumerate}

Out-of-scope: External contract, libraries and financial related attacks.

FIX Commit ID : 762cdc4cd9a8d09f29765f9e143b25af0ebe9720

TAG : artemis-v1