{"id":259,"date":"2022-05-27T12:00:12","date_gmt":"2022-05-27T10:00:12","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=259"},"modified":"2022-10-03T17:16:14","modified_gmt":"2022-10-03T15:16:14","slug":"safedao-vestingpool-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/safedao-vestingpool-audit-summary\/","title":{"rendered":"SafeDAO: VestingPool Audit Summary"},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\"><a href=\"https:\/\/gnosis-safe.io\/\">Gnosis Safe<\/a><\/span> <span style=\"font-weight: 400;\">engaged <a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a><\/span>\u00a0<span style=\"font-weight: 400;\">to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a> <\/span> SafeDAO\u2019s VestingPool contract between <b>May 23 and 27, 2022<\/b>. The entire audit process was conducted with a total time commitment of<b> 2 engineering days<\/b>. We now publish a summary of our results.<!--more--><\/p>\n<h4 class=\"p2\"><b>Methodology<\/b><\/h4>\n<p class=\"p1\">We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project&#8217;s size, scope, and functionality. This is followed by due diligence using the automated <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\"><span class=\"s2\">Solidity<\/span><\/a> analysis tools and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/slither\/\"><span class=\"s2\">Slither<\/span><\/a>.<\/p>\n<p class=\"p1\">In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/smart-contract\/\"><span class=\"s2\">contracts<\/span><\/a> locally and try to attack and break the system.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<p class=\"p1\">We audited commit <em>a<\/em><i>50728c28dd510ceae1b65bb526db98148a76f31<\/i> of the <a href=\"https:\/\/github.com\/safe-global\/safe-token\"><span class=\"s1\">safe-global\/safe-token<\/span><\/a>\u00a0repository.<\/p>\n<p class=\"p3\">During the security review, <b>we focused on <\/b>discovering issues, vulnerabilities, and gas optimizations in the source code of SafeDAO\u2019s <a href=\"https:\/\/github.com\/safe-global\/safe-token\/blob\/4b9da95b3ebd53c12982dec563314802b480f804\/contracts\/VestingPool.sol\"><span class=\"s1\">VestingPool contract<\/span><\/a>.<\/p>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s2\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p5\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p5\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No high severity issues were found.<\/p>\n<h5 class=\"p5\"><b>Medium severity<\/b><\/h5>\n<p class=\"p1\"><b>M1: <\/b>Pool Manager role<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<h5 class=\"p5\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No warning severity issues were found.<\/span><\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<h5>Informational <b>severity\u00a0<\/b><\/h5>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\"><b>I1: <\/b>Public functions<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p1\"><b>I2: <\/b>Typos in the comments<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p1\"><b>I3: <\/b>Possible gas optimization in <span class=\"s3\"><i>claimVestedTokens()<span class=\"Apple-converted-space\">\u00a0<\/span><\/i><\/span><\/p>\n<h4><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>4 findings<\/b> ranging from <i>Informational<\/i> to <i>Medium <\/i>severity.<\/p>\n<p class=\"p1\">Generally, we can state that <b>the code quality is<\/b> <b>very high, <\/b>and the code is well commented. The documentation is sufficient, and the client\u2019s test coverage is nearly <i>100%.<\/i><\/p>\n<p class=\"p1\"><b>Update: <\/b>On\u00a0<b>June 23, 2022<\/b>,\u00a0Gnosis Safe provided an updated codebase that\u00a0addresses the reported issues. Some of the findings (I2, I3) were acknowledged and fixed, and the rest (M1, I1) were marked as &#8220;not an issue&#8221; after additional information was provided.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s full <i>SafeDAO\u2019s VestingPool contract <\/i>audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/safe-global\/safe-token\/blob\/main\/docs\/ackee_audit_vesting_contract.pdf\"><span class=\"s2\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\">We were delighted to audit<b> Gnosis Safe<\/b>\u00a0and look forward to working with them again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gnosis Safe engaged Ackee Blockchain\u00a0to review and audit SafeDAO\u2019s VestingPool contract between May 23 and 27, 2022. The entire audit process was conducted with a total time commitment of 2 engineering days. We now publish a summary of our results.<\/p>\n","protected":false},"author":11,"featured_media":274,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[21,27,24,33,76,73,64,28],"class_list":["post-259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit","tag-blockchain","tag-ethereum","tag-evm","tag-gnosis-safe","tag-safe-token","tag-security","tag-smart-contract"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-Gnosis-safe@2x-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/08\/ABCH-Gnosis-safe@2x-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=259"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/259\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/274"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}