{"id":354,"date":"2022-08-26T12:00:38","date_gmt":"2022-08-26T10:00:38","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=354"},"modified":"2022-10-03T17:16:45","modified_gmt":"2022-10-03T15:16:45","slug":"safe-token-airdrop-contract-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/safe-token-airdrop-contract-audit-summary\/","title":{"rendered":"Safe Token: Airdrop Contract Audit Summary"},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\"><a href=\"https:\/\/gnosis-safe.io\/\">Safe Token<\/a><\/span> <span style=\"font-weight: 400;\">engaged <a href=\"https:\/\/ackeeblockchain.com\/\">Ackee Blockchain<\/a><\/span>\u00a0<span style=\"font-weight: 400;\">to review and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/audit\/\">audit<\/a><\/span> the Airdrop contract between <strong>July<\/strong><b> 13 and 15, 2022<\/b>. The entire audit process was conducted with a total time commitment of<b> 3 engineering days<\/b>. We now publish a summary of our results.<!--more--><\/p>\n<h4 class=\"p2\"><b>Methodology<\/b><\/h4>\n<p class=\"p1\">We start by reviewing the specifications, sources, and instructions provided to us, which is essential to ensure we understand the project&#8217;s size, scope, and functionality. This is followed by due diligence using the automated <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/solidity\/\"><span class=\"s2\">Solidity<\/span><\/a> analysis tools and <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/slither\/\"><span class=\"s2\">Slither<\/span><\/a>.<\/p>\n<p class=\"p1\">In addition to tool-based analysis, we continue with a detailed manual code review, which is the process of reading the source code line by line to identify potential vulnerabilities or code duplications. When the code review is complete, we run unit tests to ensure the system works as expected and potentially write missing unit or fuzzy tests. We also deploy the <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/smart-contract\/\"><span class=\"s2\">contracts<\/span><\/a> locally and try to attack and break the system.<\/p>\n<h4 class=\"p2\"><b>Scope\u00a0<\/b><\/h4>\n<p class=\"p1\">We audited commit <a href=\"https:\/\/github.com\/safe-global\/safe-token\/tree\/d997f134b2390f714a49b2ad8adbaf879f34c6ba\"><em>d997f13<\/em><\/a> of the <a href=\"https:\/\/github.com\/safe-global\/safe-token\"><span class=\"s1\">safe-global\/safe-token<\/span><\/a>\u00a0repository.<\/p>\n<p class=\"p1\">During the security review,\u00a0<strong>we paid particular attention to<\/strong>:<\/p>\n<ul>\n<li>ensuring that no one would be able to claim any tokens than those intended;<\/li>\n<li>detecting possible reentrancies in the code;<\/li>\n<li>ensuring access controls are not too relaxed or too strict;<\/li>\n<li>looking for common issues such as data validation.<\/li>\n<\/ul>\n<h4 class=\"p2\"><b>Findings<\/b><\/h4>\n<p class=\"p1\">Here we present our <a href=\"https:\/\/ackeeblockchain.com\/blog\/glossary\/findings\/\"><span class=\"s2\">findings<\/span><\/a>.<\/p>\n<h5 class=\"p5\"><b>Critical severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No critical severity issues were found.<\/p>\n<h5 class=\"p5\"><b>High severity\u00a0<\/b><\/h5>\n<p class=\"p1\">No high severity issues were found.<\/p>\n<h5 class=\"p5\"><b>Medium severity<\/b><\/h5>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<p><strong>M1:<\/strong> The variable <span style=\"color: #0000ff;\">redeemDeadline<\/span> can be set to the past<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h5 class=\"p5\"><b>Low severity<\/b><\/h5>\n<p class=\"p1\">No low severity issues were found.<\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No warning severity issues were found.<\/span><\/p>\n<div class=\"page\" title=\"Page 13\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<h5>Informational <b>severity\u00a0<\/b><\/h5>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"p1\">No informational severity issues were found.<\/p>\n<h4><b>Conclusion<\/b><\/h4>\n<p class=\"p1\">Our review resulted in <b>1 medium severity finding<\/b>.<\/p>\n<p class=\"p1\">Generally, we can state that the contract is <strong>very well written<\/strong> and each line has its purpose. The project is nicely readable, <strong>well documented<\/strong> and has an extensive test suite.<i><\/i><\/p>\n<p class=\"p1\">After the audit,\u00a0<b>we recommended<\/b> <strong>Safe Token<\/strong> <strong>to<\/strong>:<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<ul class=\"ul1\">\n<li class=\"li2\">address all reported issues.<\/li>\n<\/ul>\n<p class=\"p1\"><b>Update: <\/b>On <b>August 25, 2022<\/b>, Safe Token provided an updated codebase that addresses the reported issue. The updated commit was <em><a href=\"https:\/\/github.com\/safe-global\/safe-token\/commit\/c10da49dcc23d4384d37cf5294916af4faa9592f\">c10da49<\/a><\/em>. The issue was fixed by adding <span style=\"color: #0000ff;\">require<\/span> statement into the constructor that enforces <span style=\"color: #0000ff;\">redeemDeadline<\/span> to be set as the future date.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\"><b>Ackee Blockchain&#8217;s full <i>Airdrop contract <\/i>audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/github.com\/safe-global\/safe-token\/blob\/main\/docs\/ackee_audit_airdrop_contract.pdf\"><span class=\"s2\"><b>here<\/b><\/span><\/a><b>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p class=\"p1\">We were delighted to audit<b> Safe Token<\/b>\u00a0and look forward to working with them again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Safe Token engaged Ackee Blockchain\u00a0to review and audit the Airdrop contract between July 13 and 15, 2022. The entire audit process was conducted with a total time commitment of 3 engineering days. We now publish a summary of our results.<\/p>\n","protected":false},"author":11,"featured_media":363,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[21,27,24,33,76,73,64,28],"class_list":["post-354","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit","tag-blockchain","tag-ethereum","tag-evm","tag-gnosis-safe","tag-safe-token","tag-security","tag-smart-contract"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/09\/Gnosis_Safe-Cover-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2022\/09\/Gnosis_Safe-Cover-600x600.png","author_info":{"display_name":"Andrea Nov\u00e1kov\u00e1","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrea-novakova\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=354"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/354\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/363"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}