Unifi Protocol Passes SlowMist Audit

Unifi Protocol
Sep 24, 2020 · 4 min read

Zero Critical Vulnerabilities Found

Unifi is extremely proud to announce we have successfully passed the SlowMist security audit and are making the full report publicly available.

The Unifi Protocol is a suite of interoperable smart contracts designed to provide the building blocks for the next generation of DeFi development on multiple blockchains. Our completely custom smart contracts were not cloned from Uniswap or any other platform, so security was a top priority. This is why the full code was submitted to the well-respected, independent auditing firm, SlowMist.

SlowMist: “No critical vulnerabilities found during the audit.”

To further build trust within the community, we will be examining some of the key findings from the audit. No critical vulnerabilities were identified during the audit. 1 high-risk issue was discovered, along with 5 lower-risk issues which were all promptly addressed and considered fixed by the auditing team as detailed in the report. Unifi is grateful to SlowMist for helping enhance the overall security of the protocol and offering suggestions to further refine efficiency.

SlowMist Security Audit

As can be seen from the Conclusion on page 26 of the report, all identified issues have been fixed. The following is reprinted directly from the report.

Audit Result: Passed

Audit Number: 0X002009230001

Audit Date: September 23, 2020

Audit Team : SlowMist Security Team

Summary Conclusion: In this Audit, 6 security issues were found, including 1 high-risk issue, 1 medium-risk issue, and 4 low-risk issues. At the same time, 6 suggestions for improvement were given. After communicating with the project party, all problems have been fixed or the risks are within acceptable limits.

SlowMist’s comprehensive review process used public and in-house automated analysis tools, as well as a manual analysis to look for any potential issues. Some of the potential vulnerabilities the Unifi Protocol was screened for include:

● Reentrancy attack and other Race Conditions

● Replay attack

● Reordering attack

● Short address attack

● Denial of service attack

● Transaction Ordering Dependence attack

● Conditional Completion attack

● Authority Control attack

● Integer Overflow and Underflow attack

● TimeStamp Dependence attack

● Gas Usage, Gas Limit and Loops

● Redundant fallback function

● Unsafe type Inference

● Explicit visibility of functions state variables

● Logic Flaws

● Uninitialized Storage Pointers

● Floating Points and Numerical Precision

● tx.origin Authentication

● “False top-up” Vulnerability

● Scoping and Declarations

Section 4.1 the report includes a complete and detailed list of all the possible functions coded into the smart contracts. This comprehensive list demonstrates Unifi’s inability to withdraw users’ funds without their permission.

Section 4.2 discusses the types of vulnerabilities typically discovered during an audit, ranging from Critical to Low-Risk.

Section 4.2.1 highlights that no critical vulnerabilities were found during the audit

Section 4.2.2.1 Liquidity proof error calculation

The smart contracts were not able to support tokens with less than 6 precision. This has been resolved and tokens with any number of precision can be supported.

Section 4.2.3.1 ERC777 reentry

This pointed out a potential vulnerability should the protocol be expanded to allow the use of ERC777 tokens in the future. SlowMist’s recommendation was adopted and the protocol is now prepared for this potential future expansion.

4.2.4.1 Setting wrong visibility to function

The function to view the “FeeState” of the contract was made compatible with all current versions of Solidity. This is now resolved.

4.2.4.2 Missing event

This made it harder to search for historical data on the blockchain. This is now resolved and historic FeeState events can be more easily viewed on chain.

4.2.4.3 Parameter not used

An unused parameter was found. This is now resolved.

4.2.4.4 The function restricted to view uses msg.value

An information type mismatch was identified. This is now resolved.

4.2.5 Enhancement Suggestions

The Slow Mist auditing team offered some suggestions that would further optimize the efficiency of the Unifi Protocol smart contracts. These were addressed and adopted as appropriate.

While many unaudited DeFi platforms suffer from fatal hacks or exit scams, Unifi’s innovative and fully audited smart contracts provide users with a more robust and secure DeFi experience. As more products and services begin utilizing the Unifi Protocol as their foundational architecture, Unifi is fast becoming the recognized and trusted standard within the broader DeFi community.

The complete SlowMist Contract Security Audit Report for the Unifi Protocol is available and can be viewed by clicking the link here.

Unifi Protocol’s website can be found at https://www.unifiprotocol.com/. You can also connect to the Unifi community on Telegram, Twitter, or Medium. Developers — check out our bounty list to develop on the Unifi Protocol at https://gitcoin.co/issue/sesame-seed/Quest/1/100023698

unifiprotocol

Uniting Blockchains through DeFi