Stable Labs is introducing new stablecoins. In addition to Euro and USD backed stablecoins Stable Labs will continue to expand into key markets including the Czech Crown and Polish Zloty.

Stable Labs engaged Ackee Blockchain to perform a security review of the Stable Labs Token & Treasury contracts for a total of 5 engineering days in a period between June 24 and June 28, 2024.

METHODOLOGY

We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we have involved Wake testing framework. 

During the review, we paid special attention to:

  • ensuring the arithmetic of the system is correct,
  • detecting possible reentrancies in the code,
  • ensuring access controls are not too relaxed or too strict,
  • looking for common issues such as data validation. 

SCOPE

The audit has been performed on the commit 79d08d4 and the exact scope was the following files:

  • src/connectorLayer/TreasuryOrchestrator.sol
  • src/tokens/StRWA.sol
  • src/tokens/StStable.sol
  • src/utils/Greenlist.sol
  • src/utils/Treasury.sol

FINDINGS

Here are the findings from our audit.

Critical severity

No critical severity issues were found. 

High severity

H1: Wipe logic does not work

H2: Locked tokens due to missing approval

Medium severity

M1: Renounce ownership

Low severity

L1: Revert inconsistency on transfer

L2: Double-entrypoint for the initialize function

L3: Missing events

Warning severity

W1: Inconsistent usage of msg.sender and _msgSender()

W2: Potential storage clashes

Information severity

I1: Code duplication

I2: Unused import

I3: Unused event

I4: The encodedReleases mapping is not used

I5: The release functions are similar

I6: Ambiguous naming of a function

I7: Inconsistent usage of modifiers and checks in function’s body

I8: Inefficient array iterations

CONCLUSION

Our review resulted in 16 findings, ranging from Info to High severity. The most severe issues are caused by insufficient testing and can be discovered by only executing the functions.

 

Ackee Blockchain recommends Stable Labs:

  • write a comprehensive test suite, ideally including fuzz tests,
  • address all reported issues.

 

Ackee Blockchain’s full Stable Labs audit report, which includes a more detailed description of all findings and recommendations, can be found here.

 

We were delighted to audit Stable Labs and look forward to working with them again.