Safe Token engaged Ackee Blockchain to review and audit the Airdrop contract between July 13 and 15, 2022. The entire audit process was conducted with a total time commitment of 3 engineering days. We now publish a summary of our results.
Methodology
We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity analysis tools and Slither.
In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts locally and try to attack and break the system.
Scope
We audited commit d997f13 of the safe-global/safe-token repository.
During the security review, we paid particular attention to:
- ensuring that no one would be able to claim any tokens than those intended;
- detecting possible reentrancies in the code;
- ensuring access controls are not too relaxed or too strict;
- looking for common issues such as data validation.
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: The variable redeemDeadline can be set to the past
Low severity
No low severity issues were found.
Warning severity
No warning severity issues were found.
Informational severity
No informational severity issues were found.
Conclusion
Our review resulted in 1 medium severity finding.
Generally, we can state that the contract is very well written and each line has its purpose. The project is nicely readable, well documented and has an extensive test suite.
After the audit, we recommended Safe Token to:
- address all reported issues.
Update: On August 25, 2022, Safe Token provided an updated codebase that addresses the reported issue. The updated commit was c10da49. The issue was fixed by adding require statement into the constructor that enforces redeemDeadline to be set as the future date.
Ackee Blockchain’s full Airdrop contract audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Safe Token and look forward to working with them again.
