Cronus Audit Report

Copyright © 2022 by Verilog Solutions. All rights reserved.

June 15, 2022

by Verilog Solutions

This report presents our engineering engagement with Cronus Finance, a decentralized exchange deployed on the EVMOS ecosystem. Cronus Finance is an AMM DEX with liquidity mining rewards. Cronus Finance has its own governance token, $CRN, which can be staked into $sCRN and earn staking rewards denominated in stablecoin.

Project NameCronus Finance Protocol
Repository Linkhttps://github.com/cronus-finance/cronus-core/tree/main
Commit Hash06820480fcf5bfe6906d5ddae0ff52f3e0907d0f
Language Solidity
ChainEVMOS

About Verilog Solutions

Founded by a group of cryptography researchers and smart contract engineers in North America, Verilog Solutions elevates the security standard for Web3 ecosystems by being a full-stack Web3 security firm covering smart contract security, consensus security, and operational security for Web3 projects.

Verilog Solutions team works closely with major ecosystems and Web3 projects and applies a quality above quantity approach with a continuous security model. Verilog Solutions onboards the best and most innovative projects and provides the best-in-class advisory service on security needs, including on-chain and off-chain components.

Table of Contents

Service Scope

Service Stages

Our auditing service includes the following two stages:

  1. Pre-Audit Consulting Service
    • As a part of the pre-audit service, the Verilog team worked closely with the project development team to discuss potential vulnerability and smart contract development best practices. Verilog team is very appreciative of establishing an efficient and effective communication channel with the project team, as new findings are often exchanged promptly and fixes were deployed quickly, during the preliminary report stage.
  1. Smart Contract Auditing Service
    • Verilog Solutions team analyzed the entire project using a detailed-oriented approach to capture the fundamental logic and suggested improvements to the existing code. Details can be found under Findings & Improvement Suggestions

Methodology

  • Code Assessment
    • We evaluate the overall quality of the code and comments as well as the architecture of the repository.
    • We help the project dev team improve the overall quality of the repository by providing suggestions on refactorization to follow the best practice of Web3 software engineering.
  • Code Logic Analysis
    • We dive into the data structures and algorithms in the repository and provide suggestions to improve the data structures and algorithms for the lower time and space complexities.
    • We analyze the hierarchy among multiple modules and the relations among the source code files in the repository and provide suggestions to improve the code architecture with better readability, reusability, and extensibility.
  • Business Logic Analysis
    • We study the technical whitepaper and other documents of the project and compare its specification with the functionality implemented in the code for any potential mismatch between them.
    • We analyze the risks and potential vulnerabilities in the business logic and make suggestions to improve the robustness of the project.
  • Access Control Analysis
    • We perform a comprehensive assessment of the special roles of the project, including their authorities and privileges.
    • We provide suggestions regarding the best practice of privilege role management according to the standard operating procedures (SOP).

Audit Scope

Our auditing for Cronus Finance covered the following components:

  • AMM DEX
  • Liquidity Mining Farm
  • $CRN Token
  • Stable Cronus Staking
File Name
.\contracts\CronusFactory.sol
.\contracts\CronusPair.sol
.\contracts\CronusRouter02.sol
.\contracts\CronusToken.sol
.\contracts\LPToken.sol
.\contracts\MasterChefCronus.sol
.\contracts\MathUtils.sol
.\contracts\MoneyMaker.sol
.\contracts\StableCronusStaking.sol
.\contracts\weth.sol
.\contracts\interfaces\IAllowlist.sol
.\contracts\interfaces\ICronusCallee.sol
.\contracts\interfaces\ICronusERC20.sol
.\contracts\interfaces\ICronusFactory.sol
.\contracts\interfaces\ICronusPair.sol
.\contracts\interfaces\ICronusRouter01.sol
.\contracts\interfaces\ICronusRouter02.sol
.\contracts\interfaces\IERC20.sol
.\contracts\interfaces\ISwap.sol
.\contracts\interfaces\IWEVMOS.sol
.\contracts\libraries\BoringERC20.sol
.\contracts\libraries\CronusLibrary.sol
.\contracts\libraries\Math.sol
.\contracts\libraries\OwnablePausable.sol
.\contracts\libraries\SafeERC20.sol
.\contracts\libraries\SafeMath.sol
.\contracts\libraries\TransferHelper.sol
.\contracts\libraries\UQ112x112.sol
.\contracts\multicall\BlockTimestamp.sol
.\contracts\multicall\IMulticall.sol
.\contracts\multicall\Multicall.sol
.\contracts\multicall\PeripheryValidation.sol
.\contracts\rewarder\BoringOwnable.sol
.\contracts\rewarder\SimpleRewarder.sol
.\contracts\test\ERC20.sol
.\contracts\test\ERC20test1.sol
.\contracts\test\ERC20test2.sol
.\contracts\test\MockERC20.sol

Project Summary

Cronus Finance is an AMM DEX deployed on the EVMOS ecosystem. A portion of Cronus Finance’s code is based on SushiSwap, which features liquidity mining rewards and governance token staking. It is worth noting that Cronus Finance also implemented new features such as a Stable Cronus Staking that converts LP fees into stablecoins and allows $sCRN holders to claim exchange fees denominated in stablecoins.

  1. AMM DEX

    The AMM DEX part of Cronus Finance is based on SushiSwap, which is based on the Uniswap V2. Users can add/remove liquidity and swap assets by interacting with the CronusRouter02.sol contract. For adding liquidity, CronusRouter02.sol will first check whether the pair exists. If the pair does not exist, A CronusPair.sol will be deployed by CronusFactory.sol. If the pair exists, CronusRouter02.sol will query the reserve of tokenA and tokenB of the pair by calling CronusLibrary contract. CronusRouter02.sol will then check whether the user is depositing the minimal amount of tokenA and tokenB to the pair. If the check passes, then CronusRouter02.sol will the tokenA and tokenB that the user is depositing to the CronusPair.sol contract of the pair. The CronusPair.sol contract of the pair will then mint LP tokens to the user, representing the liquidity provided by the user.

    For removing liquidity, CronusRouter02.sol will first query the address of the deployed CronusPair.sol for the pair by calling CronusLibrary contract. The CronusPair.sol contract of the pair will then transfer the LP token from the user to the CronusPair.sol contract of the pair. The CronusPair.sol contract of the pair will then burn the LP tokens and send the amount (corresponding to the amount of LP tokens and the reserves) of tokenA and tokenB to the user.

    For swapping tokens. CronusRouter02.sol will query the CronusLibrary contract for the number of tokens that the user should receive/send. CronusRouter02.sol will first query the address of the deployed CronusPair.sol for the first hop of pairs in the path by calling CronusLibrary contract. The CronusPair.sol contract of the pair will then transfer the token that needs to be swapped from the user to the CronusPair.sol contract of the first hop of pairs in the path. Then a low-level function _swap is called to swap tokens between the hops in the path.

  1. Liquidity Mining Farm

    The liquidity mining farm part of Cronus Finance is based on SushiSwap MasterChef contracts. The MasterChefCronus.sol mints new $CRN tokens at each call to the updatePool function. New $CRN tokens are minted to the developer address, treasury address, investor address, and the deployed MasterChefCronus.sol contract based on a proportion defined in the MasterChefCronus.sol contract. The proportions can be changed by the owner of the MasterChefCronus.sol contract.

    The owner of the MasterChefCronus.sol can add a new reward pool to the liquidity mining contract by calling add function. Each reward pool needs to be specified with three parameters: _allocPoint, _lpToken, _rewarder. _allocPoint determines the proportion of the $CRN liquidity mining rewards that the reward pool is allocated. _lpToken determines which LP token is accepted by the reward pool. _rewarder is optional and used when a reward pool has double rewards in $CRN and another token. The owner of MasterChefCronus.sol can also later adjust the _allocPoint and _rewarder parameters by calling set.

    The function updatePool will update the rewards metrics of a particular pool, specified by _pid. The updatePool function will calculate the amount of $CRN that should be minted based on the time of the last update for the particular pool, the amount of $CRN to be minted every second, and the allocation point of the particular pool. The function would then mint the $CRN tokens to the devAddr, treasuryAddr, investorAddr, and the liquidity mining contract itself. The amount of $CRN tokens minted is determined by devPercent, treasuryPercent, and investorPercent, which can be set by the owner of the liquidity mining contract. The number of $CRN that each share of LP token deposit is then calculated and stored in the reward pool data structure as accCronusPerShare.

    The function deposit handles the deposit of LP tokens into the liquidity mining pool. The deposit function will first call updatePool to update the rewards metrics for the reward pool to the latest state, corresponding to the latest timestamp. Then the deposit function will check whether the user has already deposited LP tokens into the reward pair. If the user has already deposited into the reward pair, the already accumulated rewards will be harvested and sent to the user. Then the deposit function will calculate and store rewardDebt for the user that is depositing LP tokens. rewardDebt is the amount of $CRN token accumulated to date, before the user’s deposit, for the amount of LP token that the user is depositing. Therefore, when calculating the amount of $CRN that the user is earning, the smart contract only needs to multiply the number of $CRN per share by the number of reward pool shares that the user holds, minus the rewardDebt for the user. The deposit function will also call the onCronusReward function of the rewarder contract associated with the reward pool, if available. Lastly, the deposit function will transfer the LP token from the user to the liquidity mining farm.

    The function withdraw handles the withdrawal of LP tokens from the liquidity mining pool. The withdraw function will first call updatePool to update the rewards metrics for the reward pool to the latest state, corresponding to the latest timestamp. Then the already accumulated rewards will be harvested and sent to the user. Then the withdraw function will calculate and store rewardDebt for the user that is depositing LP tokens. The withdraw function will also call the onCronusReward function of the rewarder contract associated with the reward pool, if available. Lastly, the withdraw function will transfer the LP token to the user from the liquidity mining farm.

  1. $CRN Token

    CronusToken.sol inherits SafeERC20.sol from OpenZepplin. CronusToken.sol has additional governance-related features such as delegateBySig delegates.

Findings & Improvement Suggestions

SeverityTotalAcknowledgedResolved
High333
Medium000
Low111
Informational843

High

  1. Critical State variables are not updated after critical operations
    SeverityHigh
    Sourcecontracts/MasterChefCronus.sol#L429;
    StatusResolved in commit 5508803e0acbf40688557a8e68342581810c2a30;
    • Description

      UserInfo.rewardDebt is not updated in MasterChefCronus.collectAllPoolRewards(). Attackers can call this function to drain the Cronus tokens in pool.

      MasterChefCronus.collectAllPoolRewards() loops through all pools and transfers rewards of each pool to the user. However, UserInfo.rewardDebtis not updated as expected. Because memory instead of storage is used when fetching UserInfo. So the userInfo that was updated inside the function is just a local copy of the original variable and thus the update has no impact on the state variable reward debt. UserInfo.rewardDebtstill remains unchanged after MasterChefCronus.collectAllPoolRewards().

      The user’s reward debt is not updated and remains unchanged after claiming rewards. The calculated claimable rewards will also stay unchanged. Users can get the same Cronus token rewards again even if they have claimed. The attacker can just call this function multiple times to drain the Cronus token in the pool.

    • Exploit Scenario

      Malloy stakes some tokens in the pool and accumulates some rewards. He then calls MasterChefCronus.collectAllPoolRewards() many times to drain all the Cronus tokens in the pool.

    • Recommendations

      Use storage instead of memory for UserInfo

      function collectAllPoolRewards() public {
      for (uint256 _pid = 0; _pid < poolInfo.length; _pid++) {
          PoolInfo memory pool = poolInfo[_pid];
          // * suggestion: use `storage` *
          UserInfo storage user = userInfo[_pid][msg.sender];
          updatePool(_pid);
          if (user.amount > 0) {
              // Harvest Cronus
              uint256 pending = user.amount.mul(pool.accCronusPerShare).div(1e12).sub(user.rewardDebt);
              safeCronusTransfer(msg.sender, pending);
              emit Harvest(msg.sender, _pid, pending);
          }
          user.rewardDebt = user.amount.mul(pool.accCronusPerShare).div(1e12);
  
          IRewarder rewarder = poolInfo[_pid].rewarder;
          if (address(rewarder) != address(0)) {
              rewarder.onCronusReward(msg.sender, user.amount);
          }
      }
  }

      In this way, UserInfo gets updated correctly and the function works as expected.

  1. Inter-contract state variables inconsistency
    SeverityHigh
    Sourcecontracts/MasterChefCronus.sol#L354;
    StatusResolved in commit 84e287b3512fee5fb308ab15c9603ce63ff9651e;
    • Description

      Reward amount of rewardercontract is not reset in emergencyWithdraw(). Rewards on the rewarder contract can still be claimed after the user withdraws all the staked tokens.

      MasterChefCronus.emergencyWithdraw() is a function for users to withdraw all the staked tokens and give up all the unclaimed rewards. All the rewards that the user has earned should be reset to zero and staked tokens are transferred back to the user. However, the reward amount on the rewarder contract is not reset to zero. Users are still able to claim rewards from the rewarder contract after they emergency withdraw all the staked tokens.

    • Exploit Scenario
      • Attacker Mallory takes a flash loan.
      • Deposits x LP tokens into any double reward farm. He then
      • Emergency withdraws his LP tokens.
      • Deposits a single LP token back into the same farm and waits n number of days.
      • Harvests the bonus reward
      • Mallory now has rewards as he has x number of LP tokens instead of 1 LP token.
    • Recommendations

      Fix the mistake in emergencyWithddraw()function, clear user data in rewardercontract.

      /// @notice Withdraw without caring about rewards. EMERGENCY ONLY.
  /// @param pid The index of the pool. See `poolInfo`.
  function emergencyWithdraw(uint256 pid) external nonReentrant {
      PoolInfo memory pool = poolInfo[pid];
      UserInfo storage user = userInfo[pid][msg.sender];
      uint256 amount = user.amount;
      user.amount = 0;
      user.rewardDebt = 0;
      // * suggestion: update amount of rewarder contract *
      IRewarder _rewarder = pool.rewarder;
      if (address(_rewarder) != address(0)) {
          _rewarder.onCronusReward(msg.sender, 0);
      }
  
      // Note: transfer can fail or succeed if `amount` is zero.
      pool.lpToken.safeTransfer(msg.sender, amount);
      emit EmergencyWithdraw(msg.sender, pid, amount);
  }
  1. Critical State variables are not updated after critical operations
    SeverityHigh
    Sourcecontracts/StableCronusStaking.sol#L287;
    Statusresolved in commit 4909443408e4c01ef17684455f8dd021de4547ec;
    • Description

      A critical variable used to calculate rewards is not updated in StableCronusStaking.emergencyWithdraw(). It will result in incorrect calculation of rewards and may cause the calls on critical functions to fail.

      internalCronusBalanceis a variable used to track the balance of Cronus tokens. It should be updated every time the Cronus token is transferred to/from the current contract. In emergencyWithdraw(), the amount is not deducted from the internalCronusBalance when the Cronus token is transferred from this contract to users. The internalCronusBalance will be bigger than it should be.

      internalCronusBalanceis used to calculate rewards in function StableCronusStaking.pendingReward(). The inaccurate internalCronusBalance will result in incorrect rewards calculation as well. The reward will be smaller than it should be. Besides, this may also cause the reward calculation to revert on subtraction underflow (it deducts internalCronusBalance from the token balance), which will make calls to deposit(), addRewardToken(),removeRewardToken(), withdraw()fail because of the revert on updateReward().

    • Exploit Scenario

      Because of the Incorrect internal Cronus token balance tracking, the amount of Cronus token rewards Alice can claim is smaller than it should be.

    • Recommendations

      update the internalCronusBalance inside StableCronusStaking.emergencyWithdraw().

      function emergencyWithdraw() external {
      UserInfo storage user = userInfo[_msgSender()];
  
      uint256 _amount = user.amount;
      user.amount = 0;
      uint256 _len = rewardTokens.length;
      for (uint256 i; i < _len; i++) {
          IERC20 _token = rewardTokens[i];
          user.rewardDebt[_token] = 0;
      }
      // *suggestion: update internalCronusBalance*
      internalCronusBalance = internalCronusBalance.sub(_amount);
      
      CRN.safeTransfer(_msgSender(), _amount);
      emit EmergencyWithdraw(_msgSender(), _amount);
  }

Medium

None ; )

Low

  1. Gas-inefficient array operations
    SeverityLow
    Sourcecontracts/StableCronusStaking.sol#L198;
    Statusresolved in commit 9fe1b898da869d3c22fdb9757becd062b50219ba;
    • Description

      In order to remove one reward token, removeRewardToken() function loops through all the reward tokens. Loop can be avoided by using more optimized data structures. It would cost extra unneeded time.

      function removeRewardToken(IERC20 _rewardToken) external onlyOwner {
      require(isRewardToken[_rewardToken], "StableCronusStaking: token can't be removed");
      updateReward(_rewardToken);
      isRewardToken[_rewardToken] = false;
      uint256 _len = rewardTokens.length;
      for (uint256 i; i < _len; i++) {
          if (rewardTokens[i] == _rewardToken) {
              rewardTokens[i] = rewardTokens[_len - 1];
              rewardTokens.pop();
              break;
          }
      }
      emit RewardTokenRemoved(address(_rewardToken));
  }
    • Exploit Scenario

      N/A

    • Recommendations

      Use EnumerableSet (See code below). tokenIndexcan also serve as isRewardTokento further save gas. All require(isRewardToken[_token])should change to require(tokenIndex[_token] != 0).

      mapping(IERC20 => uint256) tokenIndex;
  //mapping(IERC20 => bool) isRewardToken;  // removed
  function addRewardToken(IERC20 _rewardToken) external onlyOwner {
      uint256 valueIndex = tokenIndex[_rewardToken]; // 0 index is reserve as null identifier
      require(valueIndex, "StableCronusStaking: rewardToken already exists.");
      
      rewardTokens.push(_rewardToken);
      tokenIndex[_rewardToken] = rewardTokens.length;
      
      updateReward(_rewardToken);
      emit RewardTokenAdded(address(_rewardToken));
  }
  function removeRewardToken(IERC20 _rewardToken) external onlyOwner {
      uint256 valueIndex = tokenIndex[_rewardToken];
      require(valueIndex, "StableCronusStaking: rewardToken does not exist.");
      
      updateReward(_rewardToken);
      
      uint256 toDeleteIndex = tokenIndex[_rewardToken] - 1;
      uint256 lastIndex = rewardTokens.length - 1;
      
      if (lastIndex != toDeleteIndex) {
          address lastValue = rewardTokens[lastIndex]
          rewardTokens[toDeleteIndex] = lastValue;    // update last value to the removed value
          tokenIndex[lastValue] = valueIndex;    // update index
      }
      
      rewardTokens.pop();
      detele tokenIndex[_rewardToken];
      
      emit RewardTokenRemoved(address(_rewardToken));
  }

Informational

  1. Lack of Re-entrancy Guard for critical function with external dependency
    SeverityInformational
    Sourcecontracts/MasterChefCronus.sol(#L294, #L321, #L350, #L358);
    StatusUnresolved;
    • Description

      The snippets are following a proper check-effects-interaction pattern. However, attention should be paid to the external lptoken.safeTransfer and lptoken.safeTransferFrom that is interacted. Be cautious when adding support for tokens like ERC777 that have before after transfer hooks. It brings in reentrancy vulnerabilities even when following a check-effects-interaction pattern.

    • Exploit Scenario

      N/A

    • Recommendations

      Be cautious when adding support for new tokens. ReentrancyGaurd can be added to functions that contain interactions with the external token transfer.

    • Results

      The suggestion is not adopted

  1. Magic numbers
    SeverityInformational
    Sourcecontracts/StableCronusStaking.sol(#L106, #L187, #L218);
    StatusUnresolved;
    • Description

      There are several magic numbers (5e17, 25) used in the contracts.

      It’s a better practice to make those magic numbers constant variables and have sufficient comments on their usage, which can greatly improve code readability.

    • Exploit Scenario

      N/A

    • Recommendations

      Use constant state variables to represent those magic numbers.

    • Results

      Unresolved. The suggestion is not adopted.

  1. Naming issues
    SeverityInformational
    Sourcecontracts/StableCronusStaking.sol#L78;
    StatusResolved in commit 68790c5370be9411d2ac181a33088bf206c2b427;
    • Description

      event ClaimReward()does not follow the “noun + verb past participle” naming scheme.

    • Exploit Scenario

      N/A

    • Recommendations

      Events and indexed values of events can be used to monitor contract operations. Thus, event names similar to contract function names must keep best practice by using the “noun + verb past participle” naming scheme. Therefore, we suggest changing the event name to RewardClaimed.

  1. Missing indexed variables in event
    SeverityInformational
    Sourcecontracts/StableCronusStaking.sol#L84;
    StatusPartially resolved in commit 68790c5370be9411d2ac181a33088bf206c2b427;
    • Description

      event RewardTokenAdded(address token)and event RewardTokenRemoved(address token)do not index the added/removed token address.

      Events and indexed values of events can be used to monitor contract operations. It’s recommended to have events emitted on important function calls and index those critical variables.

    • Exploit Scenario

      N/A

    • Recommendations

      The indexed parameters for logged events will allow users/developers to search for these events using the indexed parameters as filters. We suggest adding indexed to keep the best practice of smart contract programming

  1. Unbounded gas usage in recursive function
    SeverityInformational
    Sourcecontracts/MoneyMaker.sol#L253;
    StatusUnresolved;
    • Description

      In _convertStep(), the recursive function will recuse all the input tokens until all of them are converted to tokenTo, however, if the bridgeOf(token)graph has a loop, the recursive function will be in a dead loop and revert due to out-of-gas. Example: The path of token bridges must not contain any loop (Say, A - B - C - A), otherwise the convert()will be in a dead loop.

    • Exploit Scenario

      As described above, under certain edge cases, convert()will be in a dead loop

    • Recommendations

      Check Directed Acyclic Graph(DAG) compliance before calling setBridge().

    • Results

      Unresolved. The suggestion is not adopted.

  1. Inconsistency in variable name and actual implementation
    SeverityInformational
    Sourcecontracts/MoneyMaker.sol;
    StatusResolved in commit 68790c5370be9411d2ac181a33088bf206c2b427;
    • Description

      wavaxis from Trader Joe XYZ’s implementation which is deployed on Avalanche. Using wavaxis a bit confusing in the code since Cronus is deployed on Evmos. The name is misleading and confusing to future developers.

    • Exploit Scenario

      N/A

    • Recommendations

      Use another name like wevmos

  1. Missing variables in events
    SeverityInformational
    Sourcecontracts/MoneyMaker.sol;
    StatusResolved in commit 68790c5370be9411d2ac181a33088bf206c2b427;
    • Description

      Events on updating state variables (SetDevAddr SetDevCut SetTokenTo) do not include the old values.

      Events are usually used to monitor contracts. Including old values in events emitted when there is a critical variable set to a new value is good practice. It can help monitor the state variable changing and have a track of the value change.

    • Exploit Scenario

      N/A

    • Recommendations
      event SetDevAddr(address indexed newDevAddr, address indexed oldDevAddr);
  event SetDevCut(uint256 indexed newDevCut, uint256 indexed oldDevCut);
  event SetTokenTo(address indexed newTokenTo, address indexed oldTokenTo);
  1. Missing error message
    SeverityInformational
    Sourcecontracts/CronusRouter02.sol;
    StatusUnresolved;
    • Description

      The majority of the require statement in the CronusRouer02.solhas no error message, which is not a good practice in smart contract programming. Missing require error messages may result in users do not understand why their transaction failed.

    • Exploit Scenario

      N/A

    • Recommendations

      Add error string to require statements in the CronusRouer02.sol

    • Results

      Unresolved. The suggestion is not adopted.

Access Control Analysis

We list the privileged roles that have special access to critical functions.

  1. CronusToken.sol
    • owner: mint new tokens.
    • keeper: update maxSupply limit.
  1. CronusFactory.sol
    • feeTo: the address that can receive the mint fee when the lp token is minted.
    • feeToSetter: set feeTo and feeToSetter address.
  1. MasterChefCronus.sol
    • owner :addand set pool.
    • admin: deposit token for a user.
  1. MoneyMaker.sol
    • auth: authorized address. It can set bridge, dev cut, dev address, tokenTo address. It can also convert pairs of tokens to tokenTo
    • owner: add/remove auth role.
  1. StableCronusStaking.sol
    • owner: add/remove reward token and set deposit fee percent.

Appendix I: Severity Categories

SeverityDescription
HighIssues that are highly exploitable security vulnerabilities. It may cause direct loss of funds / permanent freezing of funds. All high severity issues should be resolved.
MediumIssues that are only exploitable under some conditions or with some privileged access to the system. Users’ yields/rewards/information is at risk. All medium severity issues should be resolved unless there is a clear reason not to.
LowIssues that are low risk. Not fixing those issues will not result in the failure of the system. A fix on low severity issues is recommended but subject to the clients’ decisions.
InformationalIssues that pose no risk to the system and are related to the security best practices. Not fixing those issues will not result in the failure of the system. A fix on informational issues or adoption of those security best practices-related suggestions is recommended but subject to clients’ decision.

Appendix II: Status Categories

StatusDescription
UnresolvedThe issue is not acknowledged and not resolved.
Partially ResolvedThe issue has been partially resolved
AcknowledgedThe Finding / Suggestion is acknowledged but not fixed / not implemented.
ResolvedThe issue has been sufficiently resolved

Disclaimer

Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze.

In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.