{"id":921,"date":"2024-09-11T13:55:01","date_gmt":"2024-09-11T11:55:01","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=921"},"modified":"2024-09-13T09:46:38","modified_gmt":"2024-09-13T07:46:38","slug":"stablelabs-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/stablelabs-audit-summary\/","title":{"rendered":"StableLabs Audit Summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Stable Labs is introducing new stablecoins. In addition to Euro and USD backed stablecoins Stable Labs will continue to expand into key markets including the Czech Crown and Polish Zloty.<\/span><\/p>\n<p><a href=\"https:\/\/stablelabs.co\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Stable Labs<\/span><\/a><span style=\"font-weight: 400;\"> engaged Ackee Blockchain to perform a security review of the Stable Labs Token &amp; Treasury contracts for a total of 5 engineering days in a period between June 24 and June 28, 2024.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">We began our review using static analysis tools, including <\/span><a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Wake<\/span><\/a><span style=\"font-weight: 400;\">. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we have involved Wake testing framework.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the arithmetic of the system is correct,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validation.\u00a0<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <code class=\"codehl\">79d08d4<\/code> and the exact scope was the following files:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">src\/connectorLayer\/TreasuryOrchestrator.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">src\/tokens\/StRWA.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">src\/tokens\/StStable.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">src\/utils\/Greenlist.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">src\/utils\/Treasury.sol<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here are the findings from our audit.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">H1: Wipe logic does not work<\/span><\/p>\n<p><span style=\"font-weight: 400;\">H2: Locked tokens due to missing approval<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">M1: Renounce ownership<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">L1: Revert inconsistency on transfer<\/span><\/p>\n<p><span style=\"font-weight: 400;\">L2: Double-entrypoint for the <code class=\"codehl\">initialize<\/code> function<\/span><\/p>\n<p><span style=\"font-weight: 400;\">L3: Missing events<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">W1: Inconsistent usage of <code class=\"codehl\">msg.sender<\/code> and <code class=\"codehl\">_msgSender()<\/code> <\/span><\/p>\n<p><span style=\"font-weight: 400;\">W2: Potential storage clashes<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Information severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">I1: Code duplication<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I2: Unused import<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I3: Unused event<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I4: The <code class=\"codehl\">encodedReleases<\/code> mapping is not used<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I5: The release functions are similar<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I6: Ambiguous naming of a function<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I7: Inconsistent usage of modifiers and checks in function&#8217;s body<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I8: Inefficient array iterations<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Our review resulted in 16 findings, ranging from Info to High severity. <\/span><span style=\"font-weight: 400;\">The most severe issues are caused by insufficient testing and can be discovered by only executing the functions.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain recommends Stable Labs:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">write a comprehensive test suite, ideally including fuzz tests,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all reported issues.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain\u2019s full Stable Labs audit report, which includes a more detailed description of all findings and recommendations, can be found <a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-audit-reports\/blob\/master\/2024\/ackee-blockchain-stable-labs-report.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Stable Labs and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stable Labs is introducing new stablecoins. In addition to Euro and USD backed stablecoins Stable Labs will continue to expand into key markets including the Czech Crown and Polish Zloty. Stable Labs engaged Ackee Blockchain to perform a security review of the Stable Labs Token &amp; Treasury contracts for a total of 5 engineering days in a period between June 24 and&hellip;<\/p>\n","protected":false},"author":6,"featured_media":922,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10],"tags":[89,144,143,104],"class_list":["post-921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","tag-audit-summary","tag-stablecoin","tag-stablelabs","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/09\/Stable-Labs-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/09\/Stable-Labs-1-600x600.png","author_info":{"display_name":"Jan Kalivoda","author_link":"https:\/\/ackee.xyz\/blog\/author\/jan-kalivoda\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=921"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/921\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/922"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}