{"id":830,"date":"2024-07-01T14:52:04","date_gmt":"2024-07-01T12:52:04","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=830"},"modified":"2024-07-02T10:09:48","modified_gmt":"2024-07-02T08:09:48","slug":"monerium-smart-contracts-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/monerium-smart-contracts-audit-summary\/","title":{"rendered":"Monerium Smart Contracts Audit Summary"},"content":{"rendered":"<p><a href=\"https:\/\/monerium.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Monerium<\/span><\/a><span style=\"font-weight: 400;\"> is a financial technology company with the mission of making digital currency accessible, secure, and simple to transact. Monerium is an industry leader in compliant emoney solutions regulated in Iceland.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The smart contracts had previously been audited with a total time donation of 12 engineering days in a period between June 15 and July 4, 2023. The previous <\/span><a href=\"https:\/\/ackee.xyz\/blog\/monerium-audit-summary\/\"><span style=\"font-weight: 400;\">Monerium audit summary<\/span><\/a><span style=\"font-weight: 400;\"> covers Revisions 1.0, 1.1, and 1.2. This audit summary focuses on the methodology, findings and recommendations of Revision 2.0 and 2.1.<\/span><\/p>\n<p><b><\/b><b>Revision 2.0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Monerium engaged Ackee Blockchain to perform an additional security review of the Monerium Smart contracts (Revision 2.0 and 2.1) for a total of 4 engineering days in a period between February 20 and February 27, 2024.\u00a0<\/span><\/p>\n<p><b>Revision 2.1<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The fix review was done on the given commit: <ccc>34c846c<\/ccc>. The issues W9, I7, I8, I9, and I10 were fixed according our recommendations. Warnings W7, W8, and Info I11 were acknowledged.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p><b>Revision 2.0<\/b><b><br \/>\n<\/b><span style=\"font-weight: 400;\">We began our review by using <\/span><a href=\"https:\/\/github.com\/Ackee-Blockchain\/wake\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Wake<\/span><\/a><span style=\"font-weight: 400;\"> static analyzer. Then we performed a manual code review with a particular focus on:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">validating ERC-2612 implementation,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">signature refactor of the burn function and revised flow,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detection of common problems, including data validation issues,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">compliance with best practices.<\/span><\/li>\n<\/ul>\n<p><b>Revision 2.1<\/b><\/p>\n<p><span style=\"font-weight: 400;\">In revision 2.1, we manually reviewed the changes made to the contracts and the fixes of the issues found in the previous review.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The scope of the audit was the difference between previous Monerium audit commit <ccc>40c7c17<\/ccc> and the commit <ccc>b0cd16d<\/ccc> tagged as &#8220;v1.2.0&#8221;. The changes were audited in a broader context including a revision of all involved components.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Revision 2.0: The audit was performed on the commit <ccc>b0cd16d<\/code>.<\/ccc><\/p>\n<p><span style=\"font-weight: 400;\">Revision 2.1: The fix review was performed on the commit <ccc>34c846c<\/code>.<\/ccc><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here we present our findings.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No medium severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">W7: Missing event.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W8: Unchecked return values.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W9: Dead code.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Information severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">I7: Duplicated hash string.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I8: Unused imports.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I9: Commented-out code.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I10: Interface organization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I11: Typos.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Revision 2.0 resulted in 8 findings, ranging from Informational to Warning severity.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W7 and W8 are related to events and data validation. W9, I8 and unused constant in I7 were discovered using the <a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\">Wake<\/a> static analyzer. Most of the findings point to the code quality.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain recommends Monerium to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensure return values are always validated,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">emit event after every contract state change,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">remove unused code from the codebase,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">use <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=AckeeBlockchain.tools-for-solidity\" target=\"_blank\" rel=\"noopener\">Tools for Solidity (Wake) VS Code extension<\/a> for static analysis (would identify W9, partly I7, and I8 during the development process).<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Out of 8 findings Monerium fixed 5 issues and 3 were acknowledged with relevant comments.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain\u2019s full Monerium audit report with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/github.com\/monerium\/smart-contracts\/blob\/main\/audits\/v1.2.1-ackee-blockchain-monerium-smart-contracts-report-2.1.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Monerium and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Monerium is a financial technology company with the mission of making digital currency accessible, secure, and simple to transact. Monerium is an industry leader in compliant emoney solutions regulated in Iceland. The smart contracts had previously been audited with a total time donation of 12 engineering days in a period between June 15 and July 4, 2023. The previous Monerium audit summary&hellip;<\/p>\n","protected":false},"author":17,"featured_media":831,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,103],"tags":[89,115,104],"class_list":["post-830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake","tag-audit-summary","tag-monerium","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Monerium-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Monerium-1-600x600.png","author_info":{"display_name":"Stepan Sonsky","author_link":"https:\/\/ackee.xyz\/blog\/author\/stepan\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/831"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}