Stable Labs is introducing new stablecoins. In addition to Euro and USD backed stablecoins Stable Labs will continue to expand into key markets including the Czech Crown and Polish Zloty.
Stable Labs engaged Ackee Blockchain to perform a security review of the Stable Labs Token & Treasury contracts for a total of 5 engineering days in a period between June 24 and June 28, 2024.
METHODOLOGY
We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we have involved Wake testing framework.
During the review, we paid special attention to:
- ensuring the arithmetic of the system is correct,
- detecting possible reentrancies in the code,
- ensuring access controls are not too relaxed or too strict,
- looking for common issues such as data validation.
SCOPE
The audit has been performed on the commit 79d08d4
and the exact scope was the following files:
- src/connectorLayer/TreasuryOrchestrator.sol
- src/tokens/StRWA.sol
- src/tokens/StStable.sol
- src/utils/Greenlist.sol
- src/utils/Treasury.sol
FINDINGS
Here are the findings from our audit.
Critical severity
No critical severity issues were found.
High severity
H1: Wipe logic does not work
H2: Locked tokens due to missing approval
Medium severity
M1: Renounce ownership
Low severity
L1: Revert inconsistency on transfer
L2: Double-entrypoint for the initialize
function
L3: Missing events
Warning severity
W1: Inconsistent usage of msg.sender
and _msgSender()
W2: Potential storage clashes
Information severity
I1: Code duplication
I2: Unused import
I3: Unused event
I4: The encodedReleases
mapping is not used
I5: The release functions are similar
I6: Ambiguous naming of a function
I7: Inconsistent usage of modifiers and checks in function’s body
I8: Inefficient array iterations
CONCLUSION
Our review resulted in 16 findings, ranging from Info to High severity. The most severe issues are caused by insufficient testing and can be discovered by only executing the functions.
Ackee Blockchain recommends Stable Labs:
- write a comprehensive test suite, ideally including fuzz tests,
- address all reported issues.
Ackee Blockchain’s full Stable Labs audit report, which includes a more detailed description of all findings and recommendations, can be found here.
We were delighted to audit Stable Labs and look forward to working with them again.