Celo Contracts Audit - PR#9740

Copyright © 2022 by Verilog Solutions. All rights reserved.

Sept 20, 2022

by Verilog Solutions

This report presents our engineering engagement with the Celo dev team on the Celo contracts audit for PR#9740.

Project NameCelo Contracts Audit - PR#9740
Repository Linkhttps://github.com/celo-org/celo-monorepo
CommitPR#9740 up to commit 4bf959b
Language Solidity
ChainCelo

About Verilog Solutions

Founded by a group of cryptography researchers and smart contract engineers in North America, Verilog Solutions elevates the security standards for Web3 ecosystems by being a full-stack Web3 security firm covering smart contract security, consensus security, and operational security for Web3 projects.

Verilog Solutions team works closely with major ecosystems and Web3 projects and applies a quality above quantity approach with a continuous security model. Verilog Solutions onboards the best and most innovative projects and provides the best-in-class advisory services on security needs, including on-chain and off-chain components.

Table of Contents

Audit Scope

File
packages/protocol/contracts/identity/interfaces/IOdisPayments.sol
packages/protocol/contracts/identity/OdisPayments.sol
packages/protocol/contracts/identity/proxies/OdisPaymentsProxy.sol

Findings & Improvement Suggestions

SeverityTotalAcknowledgedResolved
High000
Medium110
Low000
Informational111

High

None ; )

Medium

  1. Locked funds
    SeverityMedium
    Sourcepackages/protocol/contracts/identity/OdisPayments.sol#L63;
    CommitPR #9740;
    StatusAcknowledged;
    • Description

      Function OdisPayments.payInCUSD() allows users to transfer tokens to the contract but there are no other functions to withdraw them out of the contract. This causes tokens to get locked in the contract.

      The function OdisPayments.payInCUSD() let users send cUSD to the contract to pay for ODIS quota. Anyone can call this function to transfer cUSD to this contract and the mapping that tracks each address paid amount will be updated. However, there is no function in this contract that allows people to retrieve the tokens that are sent to the contract. cUSD will be locked in the contract.

    • Exploit Scenario
      1. Alice calls the payInCUSD() function to pay for her ODIS quota;
      1. She sends 3 cUSD to the contract;
      1. Now, no one is able to retrieve those tokens.
    • Recommendations

      Add a function that can retrieve tokens.

    • Results

      Acknowledged.

      Response from the ODIS team:

      The goal of this contract is to track all-time payments made from anyone, which will then be used to calculate quota by the ODIS service off-chain. We may upgrade the contract in the future to allow for transferring funds elsewhere, but for our purposes now, we want to essentially not allow any funds to flow out.”

Low

None ; )

Informational

  1. Magic Numbers
    SeverityInformational
    Sourcepackages/protocol/contracts/identity/OdisPayments.sol#L46;
    CommitPR #9740;
    StatusResolved in commit 4bf959b;
    • Description

      Function getVersionNumber() returns some magic numbers. Those magic numbers can be replaced by constants for better understanding.

    • Exploit Scenario

      N/A.

    • Recommendations

      Define those magic numbers using the constant keyword.

    • Results

      Resolved in commit 4bf959b, thegetVersionNumber() function is deprecated.

Appendix I: Severity Categories

SeverityDescription
HighIssues that are highly exploitable security vulnerabilities. It may cause direct loss of funds / permanent freezing of funds. All high severity issues should be resolved.
MediumIssues that are only exploitable under some conditions or with some privileged access to the system. Users’ yields/rewards/information is at risk. All medium severity issues should be resolved unless there is a clear reason not to.
LowIssues that are low risk. Not fixing those issues will not result in the failure of the system. A fix on low severity issues is recommended but subject to the clients’ decisions.
InformationalIssues that pose no risk to the system and are related to the security best practices. Not fixing those issues will not result in the failure of the system. A fix on informational issues or adoption of those security best practices-related suggestions is recommended but subject to clients’ decision.

Appendix II: Status Categories

StatusDescription
UnresolvedThe issue is not acknowledged and not resolved.
Partially ResolvedThe issue has been partially resolved.
AcknowledgedThe Finding / Suggestion is acknowledged but not fixed / not implemented.
ResolvedThe issue has been sufficiently resolved.

Disclaimer

Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit is detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze.

In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., "third parties") – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.