Kommunitas is a decentralized and tier-free Launchpad on Polygon. They are connecting the world to the largest project in the most cost-effective cryptocurrency chain.
The Kommunitas platform’s purpose is to allow project teams to focus on project development and product development while the community handles marketing, publicity, and initial user base. They are searching for a strong team with a distinctive and innovative vision in the cryptocurrency industry.
Kommunitas engaged Shellboxes to conduct a security assessment on the Kommunitas Staking V3, using methodical approaches to evaluate potential security issues associated with the implementation of smart contracts by exposing possible semantic discrepancies between the smart contract code and design document. Additionally, we recommended additional ideas to optimize the existing code. Our findings indicate that the current version of smart contracts can still be enhanced further due to the presence of many security and performance concerns.
The Kommunitas Staking V3 presents new features such as:
Shellboxes used a combination of manual and automated security testing to achieve a balance between efficiency, timeliness, practicability, and correctness within the audit’s scope. While manual testing is advised for identifying problems in logic, procedure, and implementation, automated testing techniques help to expand the coverage of smart contracts and can quickly detect code that does not comply with security best practices.
After Analyzing the smart contracts thoroughly, 3 high-severity, 4 medium severity, 5 low-severity vulnerabilities were revealed.
The Audit identified three high severity issues. First, a user can get more than a single KomV token due to an issue with contract logic which could lead to voting manipulation. Secondly, any worker can unstake tokens from any staker, leading to a potential loss of funds or other negative consequences. Lastly, the savior has unrestricted power to withdraw tokens with an emergencyWithdraw function; our team recommended implementing restrictions or limitations to prevent potential abuse. All of these issues require immediate attention in order to mitigate any adverse effects.
For the Medium severity issues, the owner can change any compound type without permission or authorization, potentially leading to unexpected negative consequences for users. Second, there is a lack of two-factor verification for updating the admin proxy address, which can lead to a wrong address permanently assigned as admin. Third, there is a risk of centralization due to the owner being the only one able to modify values related to each lock index. Fourth, the owner can renounce ownership, meaning the contract will no longer have access to owner-exclusive functionality. All of these issues require prompt attention and adequate resources in order to mitigate any potential risks or adverse effects.
Lastly, Each individual low-severity issue could potentially create unpredictable behavior, introduce security risks and vulnerabilities, or cause the contract’s functionality to become inaccessible. Race conditions could lead to unintended behavior in the stake function, missing token address verification can allow an attacker to set token addresses to non-contract addresses, missing value verification can let APY be set to 0 or penalty fees be set to large numbers, missing address verification can make the contract’s functionality inaccessible, and dissynchronization between workerNumber and actual number of workers could lead to a mismatch in those values.
To enhance the structure and code quality of the code, Shellboxes provided a number of best practices to address in order to achieve a better code readability/optimization. these best practices includes Using a Solidity Modifier to Encapsulate onlySavior Checks, using Separate Pause/Unpause Functions and Optimizing Event Emission by Combining Functions.
A good amount of tests were performed on the code to ensure that the funcionality is valid. Which resulted in 27 passed tests.
The ShellBoxes team always goes the extra mile when it comes to meeting the client’s needs, deadlines, and expectations. Kommunitas and ShellBoxes have accomplished a lot in a short amount of time by assisting with securing their smart contract and enabling them to scale securely.
ShellBoxes and Kommunitas will continue their collaboration to secure their environment and make web3.0 a safer place.