The Ackee Blockchain Security Team successfully performed the audit of the GoodGhosting protocol, which was completed on 08.10.2021. After the audit, Ackee Blockchain and GoodGhosting agreed on a re-audit, and the re-audit was completed on 09.11.2021. The whole auditing process was performed with a total time donation of 6 engineering days.
GoodGhosting is a DeFi no-loss saving protocol that collects deposits from users and earns yield on those deposits through decentralized finance dapps like AAVE and Curve.
How does GoodGhosting work?
At the time of writing this blog post, GoodGhosting supports Polygon and Cello. GoodGhosting’s no-loss saving game is played by depositing funds into a saving pool by players of the saving game. Players have to keep depositing their funds to a saving pool as specified in each game’s rules to earn interest and rewards. If they miss a deposit deadline, they will not earn any interest but get their initial deposit back. Winners earn a slice of the pool’s rewards by not missing any deadline for deposits when the saving game is over
Interest is earned through decentralized finance daps like Aave, Curve on Polygon, and Moola on Celo.
Our audit methodology for GoodGhosting consisted of:
- Technical specification/documentation – a brief overview of the system is requested from the client, and the audit scope is defined.
- Tool-based analysis – deep check with automated Solidity analysis tools is performed.
- Manual code review is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.
- Local deployment + hacking – contracts are deployed locally, and we try to attack the system and break it.
- Unit testing – run unit tests to ensure that the system works as expected. Potentially we write our unit tests for specific suspicious scenarios.In the beginning, we’ve defined the following main objectives of the audit at the start of the auditing process:
- Check the code quality, architecture, and best practices.
- Check if nobody unauthorized is able to steal funds.
- Check if redeem calculations are consistent and don’t contain any mismatches.
- Check if nobody is allowed to cheat the game or manipulate the logic
What were our findings?
Using our toolset, manual code review, and unit testing, we’ve identified 4 low severity issues, 2 medium severity issues, 1 high severity issues.
High severity issues are security vulnerabilities, which require specific steps and conditions to be exploited, or bugs that make a system unusable or unreliable. These issues had to be fixed.
The GoodGhosting team responsibly took several weeks to resolve the audit findings based on our audit report. As we mentioned above, we agreed on a re-audit which was completed on 09.11.2021. In the re-audit, we reviewed whether all the findings have been fixed.
The GoodGhosting team correctly fixed all issues discovered in the first audit and one high severity issue and one medium severity issue were deprecated since these specific smart contracts weren’t used in the production.