Vidma is pleased to present this audit report outlining our assessment of code, smart contracts, and other important audit insights and suggestions for management, developers, and users.
The audited scope of work includes the MilestoneBased contract, which is a factory for creating Roadmap contracts. The main goal of the Roadmap contract is to preserve the investor's investment and distribute it among the startup. In case the startup fails to comply with the agreement or begins to deceive investors, the investors can retrieve their investments through a DAO (Voting contract). Each roadmap has its own Voting contract, which cannot be changed. Anyone can create a proposal that has at least 2 options. Each parameter describes the contracts that need to be called and encodes the function signature with the parameters that will be used for the call. Voting decides which proposal option should be executed based on the votes of the voters. Voters are granted voting rights through the RoadmapStaking contract. They need to stake the selected ERC20 token to get the voting power, which is equivalent to the amount of tokens staked (1:1 ratio). The voting logic is implemented in the VotingPowerCalculator contract, which allows changing it without affecting the voting contract, as all contracts implement the TransparentUpgradeableProxy pattern from the OpenZeppelin library.
During the audit process, the Vidma team found several issues. A detailed summary and the current state are displayed in the table below.
After evaluating the findings in this report and the final state after fixes, the Vidma auditors can state that the contracts are fully operational and secure. Under the given circumstances, we set the following risk level:
To set the codebase quality mark, our auditors are evaluating the initial commit given for the scope of the audit and the last commit with the fixes. This approach helps us adequately and sequentially evaluate the quality of the code. Code style, optimization of the contracts, the number of issues, and risk level of the issues are all taken into consideration. The Vidma team has developed a transparent evaluation codebase quality system presented below.
Evaluating the initial commit and the last commit with the fixes, Vidma audit team set the following codebase quality mark.
Score
Based on the overall result of the audit and the state of the final reviewed commit, the Vidma audit team grants the following score:
In addition to manual check and static analysis, the auditing team has conducted a number of integrated autotests to ensure the given codebase has an adequate performance and security level. The test results and coverage can be found in the accompanying section of this audit report.
Please be aware that this audit does not certify the definitive reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by the Vidma audit team.
If the code is still under development, we highly recommend running one more audit once the code is finalized.
milestoneBased is the first company to leverage a blockchain DAO and escrow smart contract capabilities, in an automated governance and milestone achievement management platform.
Within the scope of this audit, two independent auditors thoroughly investigated the given codebase and analyzed the overall security and performance of the smart contracts.
The audit was conducted from March 15, 2023 to April 14, 2023. The outcome is disclosed in this document.
The final review of the fixes was finished on April 27, 2023.
The scope of work for the given audit consists of the following contracts:
The source code was taken from the following source:
https://bitbucket.org/applicature/milestonebased.contracts
Initial commit submitted for the audit:
4f559c59405f8727b2a6cdc291ad411c259e5bcd
Last commit reviewed by the auditing team:
58763f6bb93b2e78078a8605b1bb8b36ec63d3a4
As a reference to the contracts logic, business concept, and the expected behavior of the codebase, the milestoneBased team has provided the following documentation:
Vidma audit team uses the most sophisticated and contemporary methods and well-developed techniques to ensure contracts are free of vulnerabilities and security risks. The overall workflow consists of the following phases:
After the Audit kick-off, our security team conducts research on the contract’s logic and expected behavior of the audited contract.
Vidma auditors do a deep dive into your tech documentation with the aim of discovering all the behavior patterns of your codebase and analyzing the potential audit and testing scenarios.
At this point, the Vidma auditors are ready to kick off the process. We set the auditing strategies and methods and are prepared to conduct the first audit part.
During the manual phase of the audit, the Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract. The initial commit as stated in the agreement is taken into consideration.
Static analysis tools are used to find any other vulnerabilities in smart contracts that were missed after a manual check.
An interim report with the list of issues.
Within the testing part, Vidma auditors run integration tests using the Truffle or Hardhat testing framework. The test coverage and the test results are inserted in the accompanying section of this audit report.
Second interim report with the list of new issues found during the testing part of the audit process.
For simplicity in reviewing the findings in this report, Vidma auditors classify the findings in accordance with the severity level of the issues. (from most critical to least critical).
All issues are marked as “Resolved” or “Unresolved”, depending on if they have been fixed by project team or not. The issues with “Not Relevant” status are left on the list of findings but are not eligible for the score points deduction.
The latest commit with the fixes reviewed by the auditors is indicated in the “Scope of Work” section of the report.
The Vidma team always provides a detailed description of the issues and recommendations on how to fix them.
Classification of found issues is graded according to 6 levels of severity described below:
Low ML – 01 | Invalid
There are few functions that can be optimized to return the result of the ternary operator that will decrease using of if-else branching:
Roadmap.sol
could be optimized to:
Voting.sol
could be optimized to:
Consider using ternary operators. It can decrease contract size (Roadmap: -0.004KiB, Voting: -0.006KiB).
Low ML – 02 | Resolved
There are a few functions that could be simplified to get boolean values directly without if-else branching:
EntityAccessControler.sol
could be optimized to:
Refund.sol
could be optimized to:
Consider removing if-else branching to get similar values. It also decreases contract size (Refund: -0.039KiB, EntityAccessControler: -0.013KiB for every dependent contract: Refund, Roadmap, RoadmapStaking, Voting).
Informational MI – 01 | Resolved
There are instances that need to be covered by Natspec:
Add NatSpec to contracts and their functions using Solidity documentation for NatSpec.
Informational MI – 02 | Resolved
There are some typos in the contract's code and NatSpec that should be fixed:
Consider fixing typos. Also don't forget to change dependencies in other contracts for imports/function calls.
Informational MI – 03 | Resolved
Event arguments do not require underscores in their names like function arguments. It is often used to avoid naming collisions in functions.
Consider removing underscore for event arguments:
To verify the security of contracts and the performance, a number of integration tests were carried out using the Hardhat testing framework.
In this section, we provide both tests written by milestoneBased and tests written by Vidma auditors.
milestoneBased Coverage – 93.55%
Vidma Coverage – 98.69%
Industry Standard – 95%
It is important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the milestoneBased repository. We write totally separate tests with code coverage of a minimum of 95% to meet the industry standards.
We are delighted to have a chance to work with the milestoneBased team and contribute to your company's success by reviewing and certifying the security of your smart contracts.
The statements made in this document should be interpreted neither as investment or legal advice, nor should its authors be held accountable for decisions made based on this document.