During the time frame of Nov 12th to 29th, 2022, Shellboxes was tasked by Diamond Swap’s team to assess the security of the Diamond Swap system. Our examination involved a systematic evaluation of the potential security risks related to the utilization of smart contracts. Our approach spotlighted any mismatch between the code and design of the smart contracts and proposed further enhancements to optimize the code. Our findings indicated that despite numerous security and performance problems, there is still room for improvement in the current version of smart contracts.
DiamondSwap is an innovative utility that gives crypto investors the opportunity to buy and sell tokens without influencing the project’s performance. This allows for increased potential for growth as the sale won’t be visible on the chart.
Diamondswap engaged ShellBoxes to assess the security of Diamondswap by applying a systematic approach to identify any potential security flaws associated with the implementation of smart contracts, as well as making suggestions to improve the existing code. Our findings suggest that the current version of smart contracts still has several security and performance issues that can be addressed.
The ShellBoxes team was faced with the challenge of balancing various important factors such as speed, efficiency, accuracy, and scope when conducting their security testing. To address this challenge, they decided to use a combination of both manual and automated testing methods.
Manual testing was considered essential for detecting errors in logic, procedure, and execution. It also played an important role in verifying the protocol’s invariants from the business logic to ensure that they aligned with the code implementation. This level of manual scrutiny was deemed necessary to ensure that any potential security threats were identified and addressed.
On the other hand, automated testing was utilized to broaden the scope of the security assessment and to quickly detect any code that did not comply with the established security best practices. Automated testing allowed the ShellBoxes team to cover a larger surface area and detect any potential security issues at a much faster pace.
In this way, the team was able to strike a balance between speed, practicality, accuracy, and scope, thereby ensuring that the security evaluation was comprehensive and thorough.
The smart contracts implemented for this project were found to be well-designed and properly constructed. However, upon closer inspection, several vulnerabilities were discovered in their implementation that could pose risks to the project’s security and integrity. These vulnerabilities include 13 critical-severity, 2 high-severity, 5 medium-severity, 4 low-severity, and 1 undetermined-severity issues, which require immediate attention to mitigate potential risks.
During the audit, 13 critical issues were identified that could potentially compromise the security and functionality of the contract. These issues include a loss of precision that could lead to some contributors not being able to claim their Ethers, unprotected contribute functions, potential DoS attacks that could prevent users from buying tokens, missing access control on diamondTransfer, and an unprotected upgrading mechanism. Additionally, there are issues related to the cancellation of pools and retrieval of tokens by pool owners, executing multiple operations on non-existent pools, overriding social handles, and potential privacy issues for users. Finally, there are two critical issues related to admin privileges, including the ability to drain the DiamondSwap contract and add duplicate Twitter users, as well as the risk of buyers being able to withdraw double the authorized amount.
We identified 2 high-severity vulnerabilities that could impact the security and functionality of the contract. The first issue relates to the centralization power of the admin, which could potentially compromise the decentralized nature of the contract. Specifically, the admin has significant control over the contract, including the ability to drain the DiamondSwap contract and add duplicate Twitter users. The second issue concerns the ability of pool owners to change the visibility of a canceled pool, which could lead to confusion and potential disputes among users.
In addition, several medium-severity issues were also identified that could potentially impact the contract’s security and functionality. These issues include the potential for an Ether transfer failure that could lead to a DoS attack, a race condition that could impact the consistency of data, a missing percentage check that could result in incorrect calculations, a loss of precision that could affect the accuracy of data, and functions not existing in the interface or missing parameters. While these issues may not pose an immediate threat, addressing them in a timely manner is still important to ensure the overall security and reliability of the smart contract.
Several low-severity issues were identified that may not pose an immediate threat to the security or functionality of the contract but still warrant attention. These issues include the potential for the initialize function to be front-run, which could impact the accuracy of data, a for-loop over dynamic arrays that could impact the efficiency of the contract, missing value verification that could lead to incorrect calculations, and missing address verification that could lead to inaccessibility of the contract’s functionality. While these issues may not require immediate attention, addressing them as part of ongoing maintenance and improvement efforts can help ensure the continued reliability and efficiency of the smart contract.
During the smart contract audit, an issue was identified where there is no verification off-chain done for the price. This issue could potentially impact the accuracy and consistency of price information, which could in turn impact the overall functionality and reliability of the contract. While the precise severity of this issue cannot be determined without further investigation, it is important to address this vulnerability as part of ongoing maintenance and improvement efforts. Implementing off-chain verification processes can help ensure that price information is accurate and consistent, which can ultimately help improve the security and functionality of the smart contract.
Several best practices recommendations were identified that can help improve the security, efficiency, and readability of the contract code. These recommendations include using the pausable contract instead of allow-claim, removing isVerified from userInfo struct, removing the modifier from the getFeeData function, avoiding redundant verification on the price of sent Ether, using consistent and clear function naming conventions, removing unnecessary payable functions, removing redundant or unnecessary code, and avoiding adding unnecessary parameters in functions such as the contribute function. Implementing these best practices recommendations can help ensure the overall quality and maintainability of the smart contract, and can help reduce the risk of errors and vulnerabilities over time.
The audit of the Diamond Swap contract revealed several issues of varying severity. The Diamond Swap team worked to resolve 17 of these issues and classified the remaining risks as having a low probability of occurrence. Shellboxes’ auditors suggested that the Diamond Swap Team remain vigilant and be mindful of these findings to prevent future complications.