Smart Contract Audit

milestoneBased
March 23, 2021

Summary

Vidma team has conducted a smart contract audit for the given codebase.

The contracts are in good condition. Based on the fixes provided by the Ammbr team and on the quality and security of the codebase provided, Vidma team can give a score of 95 to the audited smart contracts.

During the auditing process, the Vidma team has found a couple of informational issues, 7 issues with a low level of severity, 1 issue with a medium level of severity, and 3 issues with a critical level of severity.

Severity of the issue
Total found
Resolved
Unresolved
Critical
3 issues
3 issues
0 issues
High
3 issues
3 issues
0 issues
Medium
3 issues
3 issues
0 issues
Low
3 issues
3 issues
0 issues
Informational
3 issues
3 issues
0 issues
Low
3 issues
3 issues
0 issues

The contracts are in good condition. Based on the fixes provided by the Ammbr team and on the quality and security of the codebase provided, Vidma team can give a score of 95 to the audited smart contracts.

Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:

Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.

Summary

Vidma team has conducted a smart contract audit for the given token and vesting contracts. Both contracts are in excellent condition and are well written.

During the auditing process, the Vidma security team hasn’t found any issues stating that the audited contracts are fully production-ready and are safe to use.

A detailed summary of the issues and their current state is displayed in the table below.

Severity of the issue Issue severity Total found Resolved Unresolved
Critical 0 issues 0 issues 0 issues
High 0 issues 0 issues 0 issues
Medium 0 issues 0 issues 0 issues
Low 0 issues 0 issues 0 issues
Informational 0 issues 0 issues 0 issues
Total 0 issues 0 issues 0 issue

Evaluating the findings, we can assure that the contracts are fully operational, optimized and have no security issues. Under the given circumstances we can set the following risk level:

High Confidence

Vidma auditors are evaluating the initial commit given for the scope of the audit and the last commit with the fixes. Hence, it helps to adequately evaluate the development quality. Code style, optimization of the contracts, amount, and risk level of the issues are taken into consideration. The Vidma team has developed the transparent scoring system presented below.

Severity of the issue
Issue severity
Total found
Resolved
Critical
1
10
High
0.8
7
Medium
0.5
5
Low
0.2
0.5
Informational
0
0.1

Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:

100.00

Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.

Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.

Scope of work

milestoneBased is on a mission to fix a legacy system of VC capital inefficiency by revolutionizing collaboration on milestone management between crypto investors and startups. It is the first company to leverage a bloc

Within the scope of this audit, two independent auditors deeply investigated the given codebase and analyzed the overall security and performance of smart contracts.

The debrief took place from March 21st to March 23rd, 2022 and the final results are present in this document.

Vidma auditing team has made a review of the following contracts:

  • MilestoneBasedVesting;
  • MilestoneBasedToken.


The source code was taken from the following source:
https://bitbucket.org/applicature/milestonebased.contracts

Initial commit submitted for the audit :
92369ff117273eb2bd930a3e490f30f11991e4d2

To conduct a more detailed audit, milestoneBased has provided the following documentation:

https://drive.google.com/drive/folders/1yqt6Xzr5g8hm-JragY9ow239BoZ6IKkm?usp=sharing

Workflow of the auditing process

During the manual phase of the audit, Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract.

Within the testing part, Vidma auditors run integration tests using the Truffle testing framework. The test coverage and the tests themselves are inserted into this audit report.

Vidma team uses the most sophisticated and contemporary methods and techniques to ensure the contract does not have any vulnerabilities or security risks:

Re-entrancy;
Access Management Hierarchy;
Arithmetic Over/Under Flows;
Unexpected Ether;
Delegatecall;
Default Public Visibility;
Hidden Malicious Code;
Entropy Illusion (Lack of Randomness);
External Contract Referencing;
Short Address/Parameter Attack;
Unchecked CALL Return Values;
Race Conditions / Front Running;
General Denial Of Service (DOS);
Uninitialized Storage Pointers;
Floating Points and Precision;
Tx.Origin Authentication;
Re-entrancy;
Signatures Replay;
Pool Asset Security (backdoors in the underlying ERC-20).

Structure and organization of the findings

For the convenience of reviewing the findings in this report, Vidma auditors classified them in accordance with the severity of the issues. (from most critical to least critical). The acceptance criteria are described below.

All issues are marked as "Resolved" or "Unresolved", depending on whether they have been fixed by milestoneBased or not. The latest commit, indicated in this audit report should include all the fixes made.

To ease the explanation, the Vidma team has provided a detailed description of the issues and recommendations on how to fix them.

Hence, according to the statements above, we classified all the findings in the following way:

Finding
Description
Critical
The issue bear a definite risk to the contract, so it may affect the ability to compile or operate.
High
Major security or operational risk found, that may harm the end-user or the overall performance of the contract.
Medium
The issue affects the contract to operate in a way that doesn’t significantly hinder its performance.
Low
Major security or operational risk found, that may harm the end-user or the overall performance of the contract.
Informational
The issue bear a definite risk to the contract, so it may affect the ability to compile or operate.

Manual Report

Vidma auditors has conducted a deep analysis of the smart contracts. As the outcome, no issues were identified. The contracts are in excellent condition and no fixes were required by the auditing team.

Test Results

To verify the contract security and performance a bunch of integration tests were made using the Truffle testing framework.

Tests were based on the functionality of the code, business logic, and requirements and for the purpose of finding the vulnerabilities in the contacts.

In this section, we provide both tests written by milestoneBased and Vidma auditors.

milestoneBased Coverage - 100%

Vidma Coverage – 97.14%

Industry Standard – 95%


It's important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the milestoneBased repo. We write totally separate tests with code coverage of a minimum of 95%, to meet the industry standards.

Tests are written by milestoneBased

Test Coverage

File
contracts\
MilestoneBasedToken.sol
MilestoneBasedVesting.sol
All Files
File % Stmts % Branch % Funcs % Lines
contracts\ 100.00 100.00 100.00 100.00
MilestoneBasedToken.sol 100.00 100.00 10.00 100.00
MilestoneBasedVesting.sol 100.00 100.00 100.00 100.00
All Files 100.00 100.00 100.00 100.00

Contract:MilestoneBasedVesting

  • Constructor
    • Must fail if passed zero address of token
    • Must set up correctly(58ms)
  • addTokensForVesting
    • Must fail if sender isn't owner
    • Must fail if passed amount equal to zero
    • Must fail if sender hasn't approved tokens for vesting contract(57ms)
    • Must add tokens for vesting to vesting contract(62ms)
  • createVesting
    • Must fail if sender isn't owner
    • Must fail if passed zero address of beneficiary(636ms)
    • Must fail if amount of vesting equal to 0
    • Must fail if passed incorrect vesting period(45ms)
    • Must fail if passed incorrect vesting period(45ms)
    • Must fail if amount of vesting bigger then allocation(68ms)
    • Must create vesting correctly(60ms)
  • createVestingBatch
    • Must fail if sender isn't owner(38ms)
    • Must fail if passed arrays have different length(38ms)
    • Must create vesting multiple times for different users(94ms)
    • Must create vestings with different type for one user(82ms)
  • emergencyWithdraw
    • Must fail if sender isn't owner
    • Must withdraw correct amount of tokens from vesting contract(215ms)
    • Must fail if there is no available tokens to withdraw
  • testing vesting types calculation and withdraw
    • Withdraw function must fail if user doesn't have vestings
    • All vesting must return 0 if vestings haven't started yet(102ms)
    • should donate correctly(799ms)
    • Vesting type "Marketing" must give small part of vested tokens after creation of vesting(55ms)
    • Vestings with types "Founder" and "Rewards" must return 0 while lock period
    • Vesting with type "Rewards" must return part of tokens after lock period
    • Must return correct amount of withdrawable tokens for user with multiple vestings after withdraw(141ms)
    • Vesting type "Founder" must return correct amount of tokens(433ms)
    • Vestings must return all vested tokens after vesting's end(307ms)
  • revokeVestingOfUser
    • Must fail if user's vesting is irrevocable(142ms)
    • Must revoke vesting correctly(50ms)
    • Must fail if vesting has been already revoked
    • Must revoke correct amount of user's tokens if user has c laimed tokens(103ms)
  • burn
    • Must fail if sender doesn't have enough tokens to burn(95ms)
    • Must burn tokens correctly(48ms)
  • burnFrom
    • Must fail if sender doesn't have enough allowance(40ms)
    • Must fail if owner doesn't have enough tokens
    • Must burn tokens from another user correctly(47ms)
37 passing (5s)


Tests are written by Vidma

Test Coverage

File
contracts\
MilestoneBasedToken.sol
MilestoneBasedVesting.sol
All Files
File % Stmts % Branch % Funcs % Lines
contracts\ 100.00 100.00 100.00 100.00
MilestoneBasedToken.sol 100.00 100.00 10.00 100.00
MilestoneBasedVesting.sol 100.00 100.00 100.00 100.00
All Files 100.00 100.00 100.00 100.00


Test Results

Contract: MilestoneBasedToken

    • has a name
    • has a symbol
    • has 18 decimals
  • total supply
    • returns the total amount of tokens
  • balanceOf
  • when the requested account has no tokens
    • returns zero
  • when the requested account has some tokens
    • reverts
  • transfer

Contract: MilestoneBasedToken

    • has a name
    • has a symbol
    • has 18 decimals
  • total supply
    • returns the total amount of tokens
  • balanceOf
  • when the requested account has no tokens
    • returns zero
  • when the requested account has some tokens
    • reverts
  • transfer

We are delighted to have a chance to work together with milestoneBased team and contribute to their success by reviewing and certifying the security of the smart contracts.

The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them.