Vidma team has conducted a smart contract audit for the given codebase.
Need to be mentioned, that there is no hardcoded address in the contract so we can not predict to which address the funds will be sent. Speaking about the official governmental addresses, they don’t have one that accepts BNB.
After a chat with the Ukraine’s Angels team, they elaborated that they work with different charity organizations and also make independent purchases for the army and people in need. They also assure that all reports on the spent funds are shown in their channel.
A detailed summary of the issues and their current state is displayed in the table below.
Evaluating the findings, we can assure that the contract is safe to use and all the issues found are performed only by certain conditions and cases. Under the given circumstances we can set the following risk level:
Vidma auditors are evaluating the initial commit given for the scope of the audit and the last commit with the fixes. Hence, it helps to adequately evaluate the development quality. Code style, optimization of the contracts, amount, and risk level of the issues are taken into consideration. The Vidma team has developed the transparent scoring system presented below.
Based on the given findings, risk level, performance, and code style, Vidma team can grant the following overall score:
Vidma auditing team has conducted a bunch of integrated autotests to ensure that the given codebase has decent performance and security levels. The test results and the coverage can be found in the accompanying section of this audit report.
Please mind that this audit does not certify the definite reliability and security level of the contract. This document describes all vulnerabilities, typos, performance issues, and security issues found by Vidma auditing team. If the code is under development, we recommend run one more audit once the code is finalized.
Ukraine's Angels is here to help Ukrainian people to fight off the plague of war afflicting their communities right now. This is the world’s crypto family’s contribution to #StopTheWar.
Within the scope of this audit, two independent auditors deeply investigated the given codebase and analyzed the overall security and performance of smart contracts.
The debrief took place from March 9th to 11th, 2022 and the final results are present in this document.
Vidma auditing team has made a review of the following contract:
Initial commit submitted for the audit :
https://bscscan.com/address/0x1cee20367ebda61500dd037a0ba2a9a2b733d391#code
During the manual phase of the audit, Vidma team manually looks through the code in order to find any security issues, typos, or discrepancies with the logic of the contract.
Within the testing part, Vidma auditors run integration tests using the Truffle testing framework. The test coverage and the tests themselves are inserted into this audit report.
Vidma team uses the most sophisticated and contemporary methods and techniques to ensure the contract does not have any vulnerabilities or security risks:
For the convenience of reviewing the findings in this report, Vidma auditors classified them in accordance with the severity of the issues. (from most critical to least critical). The acceptance criteria are described below.
All issues are marked as "Resolved" or "Unresolved", depending on whether they have been fixed by Ukraine’s Angels or not. The latest commit, indicated in this audit report should include all the fixes made.
To ease the explanation, the Vidma team has provided a detailed description of the issues and recommendations on how to fix them.
Hence, according to the statements above, we classified all the findings in the following way:
Low | Unresolved
Since not all the EVM compiler versions support all the features, especially the latest ones which are kind of beta versions, the intended behavior written in code might not be executed as expected. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler which may have higher risks of undiscovered bugs.
Replace pragma solidity ^0.8.0 with pragma solidity 0.8.12.
Low | Unresolved
In the function donate() there is no verification for the zero address of the receiver and zero value of amount.
Add an additional check for address and amount.
Low | Unresolved
In the function retrieveTokens() there is no verification whether there will be funds in the balance account to send and the value of the amount.
Add an additional check for the amount and token’s balance.
Example:
Informational | Unresolved
Smart contract UkrAngelsNFT.sol is not covered by NatSpec annotations.
Consider to cover by NatSpec all contract’s methods.
Informational | Unresolved
The functions in contract UkrAngelsNFT.sol are not grouped according to their visibility and order.
Functions should be grouped according to their visibility and ordered in the following way:
Consider changing functions order according to solidity documentation: Order of Functions.
Informational | Unresolved
The layout contract elements in the UkrAngelsNFT contract are not logically grouped.
The contract elements should be grouped and ordered in the following way:
Inside each contract, library or interface, use the following order:
Ordering helps readers to navigate the code and find the elements more quickly.
Consider changing layout order according to solidity style guide documentation.
To verify the contract security and performance a bunch of integration tests was made using the Truffle testing framework.
Tests were based on the functionality of the code, business logic, and requirements and for the purpose of finding the vulnerabilities in the contacts.
In this section, we provide tests written by Vidma auditors.
Vidma Coverage – 100%
Industry Standard – 95%
It's important to note that Vidma auditors do not modify, edit or add tests to the existing tests provided in the Ukraine's Angels repo. We write totally separate tests with code coverage of a minimum of 95%, to meet the industry standards.
We are delighted to have a chance to work together with Ukraine's Angels team and contribute to their success by reviewing and certifying the security of the smart contracts.
The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.