Unifi Protocol Passes SlowMist Audit
Zero Critical Vulnerabilities Found
Unifi is extremely proud to announce we have successfully passed the SlowMist security audit and are making the full report publicly available.
The Unifi Protocol is a suite of interoperable smart contracts designed to provide the building blocks for the next generation of DeFi development on multiple blockchains. Our completely custom smart contracts were not cloned from Uniswap or any other platform, so security was a top priority. This is why the full code was submitted to the well-respected, independent auditing firm, SlowMist.
SlowMist: “No critical vulnerabilities found during the audit.”
To further build trust within the community, we will be examining some of the key findings from the audit. No critical vulnerabilities were identified during the audit. 1 high-risk issue was discovered, along with 5 lower-risk issues which were all promptly addressed and considered fixed by the auditing team as detailed in the report. Unifi is grateful to SlowMist for helping enhance the overall security of the protocol and offering suggestions to further refine efficiency.
Report summary
As can be seen from the Conclusion on page 26 of the report, all identified issues have been fixed. The following is reprinted directly from the report.
Audit Result: Passed
Audit Number: 0X002009230001
Audit Date: September 23, 2020
Audit Team : SlowMist Security Team
Summary Conclusion: In this Audit, 6 security issues were found, including 1 high-risk issue, 1 medium-risk issue, and 4 low-risk issues. At the same time, 6 suggestions for improvement were given. After communicating with the project party, all problems have been fixed or the risks are within acceptable limits.
Audit Methodology
SlowMist’s comprehensive review process used public and in-house automated analysis tools, as well as a manual analysis to look for any potential issues. Some of the potential vulnerabilities the Unifi Protocol was screened for include:
● Reentrancy attack and other Race Conditions
● Replay attack
● Reordering attack
● Short address attack
● Denial of service attack
● Transaction Ordering Dependence attack
● Conditional Completion attack
● Authority Control attack
● Integer Overflow and Underflow attack
● TimeStamp Dependence attack
● Gas Usage, Gas Limit and Loops
● Redundant fallback function
● Unsafe type Inference
● Explicit visibility of functions state variables
● Logic Flaws
● Uninitialized Storage Pointers
● Floating Points and Numerical Precision
● tx.origin Authentication
● “False top-up” Vulnerability
● Scoping and Declarations
Analysis of Key Audit Report Findings
Section 4.1 the report includes a complete and detailed list of all the possible functions coded into the smart contracts. This comprehensive list demonstrates Unifi’s inability to withdraw users’ funds without their permission.
Section 4.2 discusses the types of vulnerabilities typically discovered during an audit, ranging from Critical to Low-Risk.
Section 4.2.1 highlights that no critical vulnerabilities were found during the audit
Section 4.2.2.1 Liquidity proof error calculation
The smart contracts were not able to support tokens with less than 6 precision. This has been resolved and tokens with any number of precision can be supported.
Section 4.2.3.1 ERC777 reentry
This pointed out a potential vulnerability should the protocol be expanded to allow the use of ERC777 tokens in the future. SlowMist’s recommendation was adopted and the protocol is now prepared for this potential future expansion.
The following low-risk items were identified and resolved:
4.2.4.1 Setting wrong visibility to function
The function to view the “FeeState” of the contract was made compatible with all current versions of Solidity. This is now resolved.
4.2.4.2 Missing event
This made it harder to search for historical data on the blockchain. This is now resolved and historic FeeState events can be more easily viewed on chain.
4.2.4.3 Parameter not used
An unused parameter was found. This is now resolved.
4.2.4.4 The function restricted to view uses msg.value
An information type mismatch was identified. This is now resolved.
4.2.5 Enhancement Suggestions
The Slow Mist auditing team offered some suggestions that would further optimize the efficiency of the Unifi Protocol smart contracts. These were addressed and adopted as appropriate.
While many unaudited DeFi platforms suffer from fatal hacks or exit scams, Unifi’s innovative and fully audited smart contracts provide users with a more robust and secure DeFi experience. As more products and services begin utilizing the Unifi Protocol as their foundational architecture, Unifi is fast becoming the recognized and trusted standard within the broader DeFi community.
The complete SlowMist Contract Security Audit Report for the Unifi Protocol is available and can be viewed by clicking the link here.
Unifi Protocol’s website can be found at https://www.unifiprotocol.com/. You can also connect to the Unifi community on Telegram, Twitter, or Medium. Developers — check out our bounty list to develop on the Unifi Protocol at https://gitcoin.co/issue/sesame-seed/Quest/1/100023698
