HederaStarter’s Audit Report: We Passed With Flying Colors!
Stay tuned for a Youtube video on our channel which explains this audit so you don’t have to do all this boring reading ;)
Howdy, my fellow HBARbarians!
The deed has been done and HederaStarter has been audited not once, but twice! For our first round of audits, we partnered with our good friends over at Hacken.io! Hacken themselves are major players in the space and have audited many of the largest incubators and launchpads like Polkastarter and DAO Maker. They provide major cybersecurity support to industry-leading centralized exchanges like Kucoin and FTX. Hacken also works alongside major cryptos like Chainlink, Avalanche and many others. It’s safe to say that we are quite confident in Hacken’s abilities!
Also to quote Hacken in their About Us:
“Hacken was founded in 2017 in Kyiv, Ukraine by security specialists and hackers to deliver cybersecurity solutions to companies and individuals, making histories of success. From the very beginning, we have been considering security and privacy as part of human rights. Now we have about 300 successful cases of providing our services to businesses, including bug bounty programs, penetration testing and more.
Now Hacken is a leading cybersecurity consulting company with an essential focus on blockchain security. Hacken Cybersecurity Services is a part of Hacken Group, including CER.live, HackenAI, and HackenProof. From June 2020, CER.live is the unique cybersecurity data provider for CoinGecko Trust Score.”
Anyways enough backstory let’s see the goods!
Hacken.io performed two audits on our smart contracts, first on the 28th of March 2022, and then again on the 6th of April 2022. The first report is found here, and the second is found here.
The First Audit Results
All of this information can be found in the full audit report what follows is a summary.
The type of contracts audited by Hacken were; staking, pool, proxy and whitelist contracts. The platform was EVM and the language Solidity. The audit began on the 21st of March and ended on the 28th of March. Hacken’s overall scoring methodology can be found here.
Documentation quality
The Customer provided the description of functions, events, and states. However, neither functional requirements nor technical documentation (flows, sequences, diagrams, tech specs) was provided. The total Documentation Quality score is 4 out of 10.
Code quality
The total CodeQuality score is 6 out of 10. Code duplications. Unit tests were provided. No NatSpecs. No comments through the code. Not following code style guidelines.
Architecture quality
The architecture quality score is 6 out of 10. The logic is split by files. Functions are overwhelmed with template code that could be moved to separate functions and be reused.
Security score
As a result of the audit, security engineers found 1 medium and 7 low severity issues. The security score is 8 out of 10. All found issues are displayed in the “Issues overview” section.
Summary Score
Based on the above scoring our overall composite score was a 7.2 for the first pass, so roughly a passing grade! Not too bad…
Findings
There were no critical or high severity issues found in the code but there was one medium severity issue and 7 low severity issues which can be found in detail in the first audit report here.
Now onto the second audit in which we addressed everything Hacken audited! The team had some time to review all of the findings and the recommendations as to what to fix and immediately got to work rectifying the issues here are the results of their hard work!
The Second Audit Results
All of this information can be found in the full audit report what follows is a summary.
The type of contracts audited by Hacken were; staking, pool, proxy and whitelist contracts. The platform was EVM and the language Solidity. This second audit began on the 31st of March and ended on the 6th of April. Hacken’s overall scoring methodology can be found here.
Documentation quality
The Customer provided the description of functions, events, and states. However, neither functional requirements nor technical documentation (flows, sequences, diagrams, tech specs) was provided. The total Documentation Quality score is 4 out of 10.
Code quality
The total CodeQuality score is 6 out of 10. Code duplications. Unit tests were provided. No NatSpecs. No comments through the code. Not following code style guidelines.
Architecture quality
The architecture quality score is 6 out of 10. The logic is split by files. Functions are overwhelmed with template code that could be moved to separate functions and be reused.
Security score
As a result of the audit, security engineers found 1 low severity issue. The security score is 10 out of 10. All found issues are displayed in the “Issues overview” section.
Summary Score
Based on the above scoring our overall composite score was a 8.6 for the second pass through and hey that’s almost an A!
Findings
There were no critical or high severity issues found in the code and the medium issue that was found in the previous audit was addressed and fixed, and 6 of the 7 low severity issues were addressed and fixed, the only issue which was not immediately addressed was the Solidity Compiler Version, the developers were using an older version of solidity and as Hacken states:
“It is always recommended to use the latest stable version of the compiler. Using an old compiler forces one to use the outdated openzeppelin libraries, which do not include the latest updates.”
Conclusion
So what do both of these audits mean? Well, we’ve gone out, had the contracts examined, found some issues, and then gotten nearly all of them addressed and fixed! Now, based on the auditor’s comments, it looks like our developers may need to go back and begin adding a lot more comments and make the contract code a bit more efficient and easy to read!
We’re excited that we can finally publish the audit results and are examining potential future auditors to re-examine our code in the coming months so stay tuned for that!
Follow HederaStarter’s social media channels to stay up to date with the latest news:
- Website: https://www.HederaStarter.fi
- Telegram Announcements: https://t.me/HederaStarterAnnouncements
- Telegram Community: https://t.me/HederaStarterCommunity
- Twitter: https://twitter.com/HederaStarter
- Discord: https://discord.gg/hederastarter
- Youtube: https://tinyurl.com/HederaYT
- Medium: https://medium.com/hedera-blog
