Avalaunch Audit <> Allocation Staking and Cooldown feature

Reading Time: 2 minutes

CoinFabrik specializes in auditing and developing Dapps.


Introduction

CoinFabrik was asked to audit the contracts for the Avalaunch AllocationStaking project. First we will provide a summary of our discoveries and then we will show the details of our findings.

Summary

The contracts audited are from the GitHub repository at
https://github.com/avalaunch-app/xava-protocol.

The audit is based on the commit fc32d84a67233ebba6f980182a951076858d30c0.

Contracts

The audited contracts are:

● contracts/AllocationStaking.sol
● contracts/sales/AvalaunchSale.sol
● contracts/sales/SalesFactory.sol

Analyses

The following analyses were performed:

● Misuse of the different call methods
● Integer overflow errors
● Division by zero errors
● Outdated version of Solidity compiler
● Front running attacks
● Reentrancy attacks
● Misuse of block timestamps
● Softlock denial of service attacks
● Functions with excessive gas cost
● Missing or misused function qualifiers
● Needlessly complex code and contract interactions
● Poor or nonexistent error handling
● Failure to use a withdrawal pattern
● Insufficient validation of the input parameters
● Incorrect handling of cryptographic signatures

Findings and Fixes

Severity Classification

Security risks are classified as follows:

Critical: These are issues that we manage to exploit. They compromise the system seriously. They must be fixed immediately.
Medium: These are potentially exploitable issues. Even though we did not
manage to exploit them or their impact is not clear, they might represent a
security risk in the near future. We suggest fixing them as soon as possible.
Minor: These issues represent problems that are relatively small or difficult to take advantage of but can be exploited in combination with other issues. These kinds of issues do not block deployments in production environments. They should be taken into account and be fixed when possible.
Enhancement: These kinds of findings do not represent a security risk. They are best practices that we suggest to implement.

This classification is summarized in the following table:

Issues Found by Severity

Critical Severity Issues

No issues found.

Medium Severity Issues

No issues found.

Minor Severity Issues

MI-01 Failure to Use safeMath Library

The functions fund() (line 120), totalPending() (line 196) and erc20Transfer() (line 412) make use of standard arithmetic which are susceptible to overflows and underflows.

Recommendation

Replace + by add() and – by sub().

Enhancements

EN-01 Unvalidated Input in Function and Constructor

The following are functions and constructors that fail to validate the input. In most cases, they are used to set parameters which may be changed later and the impact of setting a bad parameter is small.

  • The parameter _token in setSaleParams() is not checked to be non-null.
  • The input addresses _erc20 and _salesFactory in the AllocationStaking constructor are not checked to be non-null.

Conclusion

We found the contracts to be simple and straightforward and have an adequate amount of documentation. A minor vulnerability pointing to unsafe use of math was found in some functions with little security impact.

Disclaimer: This audit report is not a security warranty, investment advice, or an approval of the Avalaunch project since CoinFabrik has not reviewed its platform. Moreover, it does not provide a smart contract code faultlessness guarantee.