Monerium: audit summary

Monerium is a financial technology company with the mission of making digital currency accessible, secure, and simple to transact. It is the first Electronic Money Institution (EMI) licensed to issue fiat currencies onto blockchains. Monerium is authorized in the 27 European Union Member States, Iceland, Liechtenstein and Norway.

Monerium engaged Ackee Blockchain to perform a security review of the Monerium protocol with a total time donation of 12 engineering days in a period between June 15 and July 4, 2023.

REGULATIONS IN CRYPTO

Monerium EMI ehf. is authorized and regulated as and Electronic Money Institution under the Icelandic Electronic Money Act No. 17/2013 which implements the European Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions. 

The importance of crypto regulations became clear as Markets in Crypto-Assets Regulation (MiCA) was introduced. MiCA is a regulatory framework proposed by the European Commission to address the growing use of cryptocurrencies and other crypto-assets within the European Union (EU) which entered into force in June 2023. One of the outcomes of MiCA is a requirement on regular audits (every six months) by independent (3rd party) auditors, such as Ackee Blockchain.

METHODOLOGY

We began our review by using static analysis tools, namely Woke. We then took a deep dive into the logic of the contracts. For testing, we have involved Woke testing framework. During the review, we paid special attention to:

• ensuring the access controls are not too relaxed or too strict
• identification of potential reentrancies in the code
• verification of the system’s arithmetic integrity
• detection of common problems, including data validation issues
• compliance with the best practices. 

SCOPE

The scope of the audit covered all contracts in the protocol, commit 2ff1709.

FINDINGS

Here we present our findings.

Critical severity 

No critical severity issues were found. 

High severity 

No high severity issues were found. 

Medium severity

M1: Access control architecture

M2: Renounce ownership

M3: Weak ownership

M4: Unchecked return values

M5: Missing decimals validation 

Low severity

L1: Missing validations 

Warning severity

W1: Impossible to remove bridgeFrontend

W2: Unprotected functions

W3: Missing events

W4: Duplicated event 

W5: Testing contracts

W6: Multiple compiler versions

Informational severity

I1: Unused library  

I2: Unused variables

I3: Naming conventions 

I4: Unnecessary SafeMath

I5: Typos 

I6: Inconsistent uint syntax

CONCLUSION

Our review resulted in 18 findings, ranging from Info to Medium severity. The most severe ones are related to ownership, access control and data validations. These issues aren’t a direct threat but they can create vulnerabilities due to human errors in the future. Of particular concern is the owner’s multi-sig scheme of 2/6, which is severely weak. 

The overall code quality and architecture are not the best and contain many violations of Solidity development best practices like data validations, unused code, naming conventions, etc.

Ackee Blockchain recommends Monerium to: 

• increase owner’s multi-sig threshold
• review and fix the access control architecture
• ensure return values are always validated
• separate production contracts from testing contracts, • remove unused code from the codebase
• address all other reported issues. 

UPD: The review was done on the given commit: 3477259. Monerium fixed all medium-severity issues and the multi-sig scheme has been increased to 3/6. The only acknowledged issue L1 is not addressed because of the planned redesign. 

Ackee Blockchain’s full Monerium audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Monerium and look forward to working with them again with them.