About GoodGhosting
GoodGhosting is a DeFi no-loss saving protocol that collects deposits from users and earns yield on those deposits through decentralized finance dapps like AAVE and Curve.
How does GoodGhosting work?
At the time of writing this blog post, GoodGhosting supports Polygon and Celo. GoodGhosting’s no-loss saving game is played by depositing funds into a saving pool by players of the saving game. Players have to keep depositing their funds to a saving pool as specified in each game’s rules to earn interest and rewards. If they miss a deposit deadline, they will not earn any interest but get their initial deposit back. Winners earn a slice of the pool’s rewards by not missing any deadline for deposits when the saving game is over.
Interest is earned through decentralized finance dapps like Aave, Curve on Polygon, or Moola on Celo.
To learn more about GoodGhosting, read the official documentation here.
About the audit
On October 8, 2021, the Ackee Blockchain security team completed an audit of the GoodGhosting protocol. The whole auditing process was performed with a total time donation of 6 engineering days.
At the beginning of the audit, the following main objectives were defined:
- Check the code quality, architecture and best practices.
- Check if nobody unauthorized is able to steal funds.
- Check if redeem calculations are consistent and don’t contain any mismatches.
- Check if nobody is allowed to cheat the game or manipulate the logic.
The audit methodology for GoodGhosting consisted of:
- Technical specification/documentation – a brief overview of the system is requested from the client and the scope of the audit is defined.
- Tool-based analysis – deep check with automated Solidity analysis tools MythX and Slither is performed.
- Manual code review – the code is checked line by line for common vulnerabilities, code duplication, best practices and the code architecture is reviewed.
- Local deployment + hacking – the contracts are deployed locally and we try to attack the system and break it.
- Unit testing and fuzzy testing – run unit tests to ensure that the system works as expected, potentially write missing unit tests. Fuzzy testing is performed by Echidna.
After the audit, Ackee Blockchain and GoodGhosting agreed on a re-audit, which was completed on November 9, 2021. The main objective of the re-audit was to check the correctness of the newly implemented logic for the winners’ declaration and whether the discovered issues were correctly fixed.
Findings
Using our toolset, manual code review, unit and fuzzy testing led to the following findings:
- L1: Outdated compiler
- L2: Use of optimizer
- L3: Use of uint256 where uint8 is enough
- L4: Variable packing
- M1: Unlimited allowance
- M2: Renounce ownership
- H1: First player doesn’t receive the bonus
4 low severity, 2 medium severity and 1 high severity issues were identified after the first audit.
Conclusion
Based on the audit report, the GoodGhosting team spent several weeks responsibly addressing the findings, and then, as noted above, the re-audit was completed on November 9, 2021.
All issues identified in the first audit were corrected; one high severity issue (H1) and one medium severity issue (M1) were deprecated because all contracts addressed by these issues were no longer in use.
We were delighted to audit GoodGhosting and look forward to working with them again.
The full Ackee Blockchain audit report of GoodGhosting with a more detailed description of all findings and recommendations can be found here.
