Vidma team has conducted a smart contract audit for the given codebase.
The contract is well written and structured. Based on the findings we can conclude that the contract is fully production-ready.
During the auditing process, Vidma team has found several issues, including issues with critical severity. Mostly every issue was resolved by the POP Network team. The only issue that is still unresolved has an informational level of severity and does not affect the security or performance side of the contract.
Evaluating the findings, we can assure that the contract is safe to use and all the issues found are performed only by certain conditions and cases. Under the given circumstances we can set the following risk level:
Vidma auditors are evaluating the initial commit given for the scope of the audit and the last commit with the fixes. Hence, it helps to adequately evaluate the development quality.
Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:
Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.
Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.
POP Network is a user-friendly ecosystem of blockchain and AI applications built to power the streaming economy. Their vision is a universal system for turning attention into real-world goods and services.
Within the scope of this audit, two independent auditors deeply investigated the given codebase and analyzed the overall security and performance of smart contracts.
The debrief took place on Jun 23rd, 2021 and the final results are present in this document
Vidma auditing team has made a review of the following contract:
The source code was taken from the following source:
https://github.com/popnetwork/pop-staking-smart-contract/
Last commit:
94ff45f72cf4bf95d04e3ef4a41c0eacd4a0fbed
To conduct a more detailed audit, POP Network has provided the following documentation:
https://docs.google.com/document/d/1tgg_rYItXD3_lBKJYe1B6rKS1vbQRy610eRn2QAhYu8/edit
During the manual phase of the audit, Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract.
Within the testing part, Vidma auditors run integration tests using the Truffle testing framework. The test coverage and the tests themselves are inserted into this audit report.
Vidma team uses the most sophisticated and contemporary methods and techniques to ensure the contract does not have any vulnerabilities or security risks:
For the convenience of reviewing the findings in this report, Vidma auditors classified them in accordance with the severity of the issues. (from most critical to least critical). The acceptance criteria are described below.
All issues are marked as "Resolved" or "Unresolved", depending on whether they have been fixed by POP Network or not. The latest commit, indicated in this audit report should include all the fixes made.
To ease the explanation, the Vidma team has provided a detailed description of the issues and recommendations on how to fix them.
Hence, according to the statements above, we classified all the findings in the following way:
Critical | Resolved
Entire contract depends on this function, but little or no details were provided on how often this func will be called, what conditions, what limits of each user, how many users, etc.
Additionally, this function actually contains two actions: users pending info update and pop per block calculation.
Worth to mention, that right now devaddr has too much power.
If this is expected behavior (for example davaddr is a contract), please provide as many details as possible how users’ funds are protected and stake pool is fair. And it would be better to do pop per block calculation “on the fly”, more details on this in next issue.
Pop masternode running time is logged in backend and backend cron job will call updatePendingInfo function everyday with the updated Info with dev address permission.
Critical | Resolved
Function tokenTransfer allows the owner of the contract to transfer all pop tokens from the balance of the staking contract to any address.
Set these tokens to be not salvageable.
Fixed.
High | Resolved
It is updated only on updatePendingInfo call. If, for any reason, the call does not happen in time – popPerBlock becomes outdated.
Additionally:
Do calculation of popPerBlock automatically, example:
Fixed.
Medium | Resolved
There are several options of improvements, based on popPerBlock calculation improve.
Fixed.
Medium | Resolved
Functions deposit / withdraw have no check for an amount equal to 0.
Functions deposit / withdraw have no check for an amount equal to 0.
Fixed.
Medium | Resolved
In constructor at line 61 no need to initialize popPerBlock variables, since it’s already been initialized by default.
Remove line #61:
Fixed.
Informational | Unresolved
Function getMultiplier simply subtracts one number from another. It has no practical use for the end-user.
It should return user reward multiplier instead:
Informational | Resolved
Trust in smart contracts can be better established if their source code is available. Since making source code available always touches on legal problems with regards to copyright, the Solidity compiler encourages the use of machine-readable SPDX license identifiers.
Every source file should start with a comment indicating its license.
Example:
Fixed.
To verify the contract security and performance a bunch of integration tests were made using the Truffle testing framework.
Tests were based on the functionality of the code, business logic, and requirements and for the purpose of finding the vulnerabilities in the contacts.
In this section, we provide both tests written by POP Network and Vidma auditors.
POP Network Coverage – 72.41%
Vidma Coverage – 100%
Industry Standard – 95%
It’s important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the POP Network repo. We write totally separate tests with code coverage of a minimum of 95%, to meet the industry standards.
We are delighted to have a chance to work together with POP Network team and contribute to their success by reviewing and certifying the security of the smart contracts.
The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.