Gnosis Safe engaged Ackee Blockchain to review and audit SafeDAO’s VestingPool contract between May 23 and 27, 2022. The entire audit process was conducted with a total time commitment of 2 engineering days. We now publish a summary of our results.
Methodology
We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project’s size, scope, and functionality. This is followed by due diligence using the automated Solidity analysis tools and Slither.
In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the contracts locally and try to attack and break the system.
Scope
We audited commit a50728c28dd510ceae1b65bb526db98148a76f31 of the safe-global/safe-token repository.
During the security review, we focused on discovering issues, vulnerabilities, and gas optimizations in the source code of SafeDAO’s VestingPool contract.
Findings
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Pool Manager role
Low severity
No low severity issues were found.
Warning severity
No warning severity issues were found.
Informational severity
I1: Public functions
I2: Typos in the comments
I3: Possible gas optimization in claimVestedTokens()
Conclusion
Our review resulted in 4 findings ranging from Informational to Medium severity.
Generally, we can state that the code quality is very high, and the code is well commented. The documentation is sufficient, and the client’s test coverage is nearly 100%.
Update: On June 23, 2022, Gnosis Safe provided an updated codebase that addresses the reported issues. Some of the findings (I2, I3) were acknowledged and fixed, and the rest (M1, I1) were marked as “not an issue” after additional information was provided.
Ackee Blockchain’s full SafeDAO’s VestingPool contract audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Gnosis Safe and look forward to working with them again.
