{"id":512,"date":"2023-05-30T11:01:31","date_gmt":"2023-05-30T09:01:31","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=512"},"modified":"2024-05-16T12:42:50","modified_gmt":"2024-05-16T10:42:50","slug":"ipor-iportoken-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/ipor-iportoken-audit-summary\/","title":{"rendered":"IPOR: IporToken audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/www.ipor.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">IPOR<\/span><\/a><span style=\"font-weight: 400;\"> (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol parts, specifically IporToken and Ipor mining, within a period between <\/span><b>October 17<\/b><span style=\"font-weight: 400;\"> and <\/span><b>November 9<\/b><span style=\"font-weight: 400;\">, <\/span><b>2022 for Revision 1.0<\/b><span style=\"font-weight: 400;\">. This report covers IporToken contract, the fix review (<\/span><b>Revision 1.1<\/b><span style=\"font-weight: 400;\">) was done on <\/span><b>November 21<\/b><span style=\"font-weight: 400;\"> on the given commit: a1a3657 in <\/span><a href=\"https:\/\/github.com\/IPOR-Labs\/ipor-protocol\/blob\/develop\/contracts\/tokens\/IporToken.sol\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">a public repository<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review using static analysis tools, namely Slither and <a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\">Wake<\/a>. We then took a deep dive into the logic of the contracts.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid particular attention to:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> ensuring the arithmetic of the system is correct,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> detecting possible reentrancies in the code,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring access controls are not too relaxed or too strict,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> looking for common issues such as data validation,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> ensuring the token handling logic is correct.<\/span><\/li>\n<\/ul>\n<p><b>SCOPE\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We performed a security review of the Ipor protocol parts, specifically IporToken and Ipor mining (John and PowerIpor contracts), the audit has been performed on the commit 01c08c3. At the client\u2019s request, the report was divided into two parts. This report covers IporToken contract only. The fix review (<\/span><b>Revision 1.1<\/b><span style=\"font-weight: 400;\">) was done on the given commit: a1a3657 in <\/span><a href=\"https:\/\/github.com\/IPOR-Labs\/ipor-protocol\/blob\/develop\/contracts\/tokens\/IporToken.sol\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">a public repository.<\/span><\/a><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No medium severity issues were found.\u00a0\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Usage of solc optimizer<\/span><\/p>\n<h5><b>Informational severity\u00a0<\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Redundant inheritance of Ownable<\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>2 findings<\/b><span style=\"font-weight: 400;\"> ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Warning<\/span><\/i><span style=\"font-weight: 400;\"> severity. In the protocol, no actual thread has been found, and most issues are about the code performance and quality.<\/span><\/p>\n<p><b>We recommended IPOR to:<\/b><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> improve the code quality by adding NatSpec documentation,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> pay more attention to the code performance and gas usage,<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> address all reported issues.<\/span><\/li>\n<\/ul>\n<p><b>Update: <\/b><span style=\"font-weight: 400;\">During <\/span><b>Report Revision 1.1 <\/b><span style=\"font-weight: 400;\">no significant changes were performed in the contract, and no new vulnerabilities were found. One reported issue was fixed, and the second one was acknowledged.<\/span><\/p>\n<p><b>Ackee Blockchain\u2019s full <\/b><b><i>IPOR protocol<\/i><\/b><b> audit report with a more detailed description of all findings and recommendations can be found <\/b><a href=\"https:\/\/drive.google.com\/file\/d\/1fXMK_pWAtmd_6FVl2h9HsZYDk8o-Q4uI\/view\" target=\"_blank\" rel=\"noopener\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> IPOR<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IPOR (Inter-Protocol Offered Rate) protocol works as a weighted index average of several different borrowing and lending sources. Handling and selecting the most relevant sources would be done via IPOR Decentralized Autonomous Organization (DAO) to achieve a complete decentralized system. The transparent mathematical formulas calculate a weighted average. IPOR team engaged Ackee Blockchain to perform a security review of the Ipor protocol&hellip;<\/p>\n","protected":false},"author":15,"featured_media":513,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,80,103],"tags":[21,24,110,104],"class_list":["post-512","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-solidity","category-wake","tag-audit","tag-ethereum","tag-ipor","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/IPOR-token-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/IPOR-token-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/513"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}