Monerium: audit summary
Monerium is a financial technology company with the mission of making digital currency accessible, secure, and simple to transact. It is the first Electronic Money Institution (EMI) licensed to issue fiat currencies onto blockchains. Monerium is authorized in the 27 European Union Member States, Iceland, Liechtenstein and Norway.
Monerium engaged Ackee Blockchain to perform a security review of the Monerium protocol with a total time donation of 12 engineering days in a period between June 15 and July 4, 2023.
REGULATIONS IN CRYPTO
Monerium EMI ehf. is authorized and regulated as and Electronic Money Institution under the Icelandic Electronic Money Act №17/2013 which implements the European Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions.
The importance of crypto regulations became clear as Markets in Crypto-Assets Regulation (MiCA) was introduced. MiCA is a regulatory framework proposed by the European Commission to address the growing use of cryptocurrencies and other crypto-assets within the European Union (EU) which entered into force in June 2023. One of the outcomes of MiCA is a requirement on regular audits (every six months) by independent (3rd party) auditors, such as Ackee Blockchain.
METHODOLOGY
We began our review by using static analysis tools, namely Woke . We then took a deep dive into the logic of the contracts. For testing, we have involved Woke testing framework. During the review, we paid special attention to:
- ensuring the access controls are not too relaxed or too strict
- identification of potential reentrancies in the code
- verification of the system’s arithmetic integrity
- detection of common problems, including data validation issues
- compliance with the best practices.
SCOPE
The scope of the audit covered all contracts in the protocol, commit 2ff1709 .
FINDINGS
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Access control architecture
M4: Unchecked return values
M5: Missing decimals validation
Low severity
L1: Missing validations
Warning severity
W1: Impossible to remove bridgeFrontend
W2: Unprotected functions
W6: Multiple compiler versions
Informational severity
I4: Unnecessary SafeMath
I6: Inconsistent uint syntax
CONCLUSION
Our review resulted in 18 findings, ranging from to severity. The most severe ones are related to ownership, access control and data validations. These issues aren’t a direct threat but they can create vulnerabilities due to human errors in the future. Of particular concern is the owner’s multi-sig scheme of 2/6, which is severely weak.
The overall code quality and architecture are not the best and contain many violations of Solidity development best practices like data validations, unused code, naming conventions, etc.
Ackee Blockchain recommends Monerium to:
- increase owner’s multi-sig threshold
- review and fix the access control architecture
- ensure return values are always validated
- separate production contracts from testing contracts, * remove unused code from the codebase
- address all other reported issues.
UPD: The review was done on the given commit: 3477259 . Monerium fixed all medium-severity issues and the multi-sig scheme has been increased to 3/6. The only acknowledged issue L1 is not addressed because of the planned redesign.
The updated fix review was done on the commit 40c7c17, which reverts the fix of M5: Missing decimals validation. The client decided to only acknowledge the issue due to the low likelihood and complicated upgrade/migration process of TokenStorage contract.
Ackee Blockchain’s full Monerium audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Monerium and look forward to working with them again with them.
Originally published at https://ackeeblockchain.com on August 24, 2023.
