Monerium is a financial technology company with the mission of making digital currency accessible, secure, and simple to transact. Monerium is an industry leader in compliant emoney solutions regulated in Iceland.
The smart contracts had previously been audited with a total time donation of 12 engineering days in a period between June 15 and July 4, 2023. The previous Monerium audit summary covers Revisions 1.0, 1.1, and 1.2. This audit summary focuses on the methodology, findings and recommendations of Revision 2.0 and 2.1.
Revision 2.0
Monerium engaged Ackee Blockchain to perform an additional security review of the Monerium Smart contracts (Revision 2.0 and 2.1) for a total of 4 engineering days in a period between February 20 and February 27, 2024.
Revision 2.1
The fix review was done on the given commit:
METHODOLOGY
Revision 2.0
We began our review by using Wake static analyzer. Then we performed a manual code review with a particular focus on:
- validating ERC-2612 implementation,
- signature refactor of the burn function and revised flow,
- detection of common problems, including data validation issues,
- compliance with best practices.
Revision 2.1
In revision 2.1, we manually reviewed the changes made to the contracts and the fixes of the issues found in the previous review.
SCOPE
The scope of the audit was the difference between previous Monerium audit commit
Revision 2.0: The audit was performed on the commit
Revision 2.1: The fix review was performed on the commit
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
No low severity issues were found.
Warning severity
W7: Missing event.
W8: Unchecked return values.
W9: Dead code.
Information severity
I7: Duplicated hash string.
I8: Unused imports.
I9: Commented-out code.
I10: Interface organization.
I11: Typos.
CONCLUSION
Revision 2.0 resulted in 8 findings, ranging from Informational to Warning severity.
W7 and W8 are related to events and data validation. W9, I8 and unused constant in I7 were discovered using the Wake static analyzer. Most of the findings point to the code quality.
Ackee Blockchain recommends Monerium to:
- ensure return values are always validated,
- emit event after every contract state change,
- remove unused code from the codebase,
- address all other reported issues,
- use Tools for Solidity (Wake) VS Code extension for static analysis (would identify W9, partly I7, and I8 during the development process).
Out of 8 findings Monerium fixed 5 issues and 3 were acknowledged with relevant comments.
Ackee Blockchain’s full Monerium audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Monerium and look forward to working with them again.