Scribd
Upload
8 views

HAPI - Audit - by Hacken

Uploaded by

linnyount111
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

HAPI - Audit - by Hacken

Uploaded by

linnyount111
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

SMART CONTRACT CODE

REVIEW AND SECURITY


ANALYSIS REPORT

Customer: HAPI
Date: June 8th, 2021
This document may contain con den al informa on about IT systems and
the intellectual property of the Customer as well as informa on about
poten al vulnerabili es and methods of their exploita on.

The report containing con den al informa on can be used internally by the
Customer, or it can be disclosed publicly a er all vulnerabili es xed - upon a
decision of the Customer.

Document

Name Smart Contract Code Review and Security Analysis Report for HAPI(31 pages).

Approved by Andrew Ma ukhin | CTO Hacken OU


Type Token, Token sale, Exchange, Exchanges aggregator.

Pla orm Ethereum / Solidity

Methods Architecture Review, Func onal Tes ng, Computer-Aided Veri ca on, Manual
Review.
Repository h ps://github.com/HAPIprotocol/HAPI

Commit cde466d6b4738dabf63abc9584e0d5debd0498db

Deployed 0xd9c2d319cd7e6177336b0a9c93c21cb48d84fb54
contract
Timeline 07 JUN 2021 – 08 JUN 2021

Changelog 08 JUN 2021 – INITIAL AUDIT


tt
tf
ti
ti
ti
ti
fi
ti
ti
fi
ti
ft
ti
fi
ti
ti
ti
ti
fi
ti
Table of contents
Document .................................................................................................................................2
Table of contents.......................................................................................................................3
Introduc on ..............................................................................................................................4
Scope ........................................................................................................................................4
Execu ve Summary ...................................................................................................................5
Severity De ni ons ...................................................................................................................6
AS-IS overview ..........................................................................................................................7
Conclusion ..............................................................................................................................16
Disclaimers ..............................................................................................................................17
ti
ti
fi
ti
Introduction
Hacken OÜ (Consultant) was contracted by HAPI (Customer) to conduct a Smart
Contract Code Review and Security Analysis. This report presents the ndings
of the security assessment of Customer's smart contract and its code review
conducted between June 7th, 2021 – June 8th, 2021.

Scope
The scope of the project is smart contracts in the repository:
Contract deployment address:
Repository: https://github.com/HAPIprotocol/HAPI
Commit: cde466d6b4738dabf63abc9584e0d5debd0498db
Files:
Airdrop.sol
FixedAmountVesting.sol
HAPI.sol
HAPIBSC.sol
We have scanned this smart contract for commonly known and more speci c
vulnerabili es. Here are some of the commonly known vulnerabili es that are
considered:

Category Check Item


Code review ▪ Reentrancy
▪ Ownership Takeover
▪ Timestamp Dependence
▪ Gas Limit and Loops
▪ DoS with (Unexpected) Throw
▪ DoS with Block Gas Limit
▪ Transac on-Ordering Dependence
▪ Style guide viola on
▪ Costly Loop
▪ ERC20 API viola on
▪ Unchecked external call
▪ Unchecked math
▪ Unsafe type inference
▪ Implicit visibility level
▪ Deployment Consistency
▪ Repository Consistency
▪ Data Consistency
ti
ti
ti
ti
ti
fi
fi
Func onal review ▪ Business Logics Review
▪ Func onality Checks
▪ Access Control & Authoriza on
▪ Escrow manipula on
▪ Token Supply manipula on
▪ Assets integrity
▪ User Balances manipula on
▪ Kill-Switch Mechanism
▪ Opera on Trails & Event Genera on

Executive Summary
According to the assessment, the Customer's smart contracts are well-secured
and has good tests coverage.

Insecure Poor secured Secured Well-secured

You are here


Our team performed an analysis of code func onality, manual audit, and
automated checks with Mythril and Slither. All issues found during automated
analysis were manually reviewed, and important vulnerabili es are presented
in the Audit overview sec on. A general overview is presented in AS-IS sec on,
and all found issues can be found in the Audit overview sec on.

Security engineers found 1 low severity issue during the audit.

No ce: The HAPI contract contains no implemented hooks func onality. We


may not guarantee secureness of contracts a er those hooks will be
implemented.
Graph 1. The distribu on of vulnerabili es.

Medium Low Informational Critical High


ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ti
Severity Definitions

Risk Level Descrip on


Cri cal vulnerabili es are usually straigh orward to exploit and can
Cri cal
lead to assets loss or data manipula ons.
High-level vulnerabili es are di cult to exploit; however, they also
High have a signi cant impact on smart contract execu on, e.g., public
access to crucial func ons
Medium-level vulnerabili es are important to x; however, they
Medium
can't lead to assets loss or data manipula ons.
Low-level vulnerabili es are mostly related to outdated, unused,
Low etc. code snippets that can't have a signi cant impact on
execu on
Lowest / Code Lowest-level vulnerabili es, code style viola ons, and info
Style / Best statements can't a ect smart contract execu on and can be
Prac ce ignored.
ti
ti
ti
ti
ti
fi
ti
ff
ti
ti
ti
ti
ti
ffi
ti
tf
ti
fi
ti
ti
fi
ti
AS-IS overview
Airdrop.sol
Descrip on

Airdrop is a contract used for the token distribu on.

Imports

Airdrop contract has the following imports:


• @openzeppelin/contracts/token/ERC20/IERC20.sol
• @openzeppelin/contracts/token/ERC20/SafeERC20.sol
• @openzeppelin/contracts/math/SafeMath.sol
• ./libraries/TransferHelper.sol

Usages

Airdrop contract has the following custom usages:


• SafeMath for uint
• SafeERC20 for IERC20

Enums

Airdrop contract has no custom enums.

Events

Airdrop contract has no custom modi ers.

Modi ers

Airdrop has no custom modi ers.

Func ons

Airdrop has following func ons:


• Transfer
Descrip on
Transfer an amount of tokens to address
Input parameters
o address[] calldata _addresses
ti
fi
ti
ti
ti
fi
fi
ti
o address[] calldata _addresses
o uint total
Constraints
o _addresses.length == _amounts.length.
o sum == total.
Events emit
None
Output
None

FixedAmountVes ng.sol
Descrip on

Ves ng management.

Imports

FixedAmountVes ng contract has the following imports:


• @openzeppelin/contracts/token/ERC20/IERC20.sol
• @openzeppelin/contracts/token/ERC20/SafeERC20.sol
• @openzeppelin/contracts/math/SafeMath.sol
• @openzeppelin/contracts/access/Ownable.sol
• @openzeppelin/contracts/u ls/ReentrancyGuard.sol
• ./libraries/FixedAmountVes ngLibrary.sol

Inheritance

FixedAmountVes ng contract is ReentrancyGuard and Ownable

Usages

FixedAmountVes ng contract has the following custom usages:


• SafeMath for uint
• SafeERC20 for IERC20
• FixedAmountVes ngLibrary for FixedAmountVes ngLibrary.Data

Structs

FixedAmountVes ng contract has the following data structures:


ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
• LockupDetails – a total amount and a ves ng period for the lockup

Enums

FixedAmountVes ng contract has no custom enums.

Events

FixedAmountVes ng contract has the following custom events:


• Withdraw
• SetLockup

Modi ers
FixedAmountVes ng has the following modi ers:
• vestedAmountOf
• token
• ves ngData
• lockupAmountOf

Fields

FixedAmountVes ng contract has following constants:


• address _token
• uint64 _cli End
• uint32 _ves ngInterval
• lockupAmountOf

Func ons

FixedAmountVes ng has following public func ons:


• setLockup
Descrip on
Ini alizes the lockup.
Visibility
onlyOwner
Input parameters
o address[] calldata _accounts
o uint128[] calldata _totalAmounts
o uint128[] calldata _vestedPerInterval
ti
ti
ti
fi
ti
ff
ti
ti
ti
ti
ti
ti
ti
fi
ti
Constraints
o _accounts.length == _totalAmounts.length &&
_totalAmounts.length == _vestedPerInterval.length
Events emit
o SetLockup
Output
None
• withdraw
Descrip on
Withdrawals are allowed only if ownership was renounced (setLockup
cannot be called, ves ng recipients cannot be changed anymore)
Visibility
External
Input parameters
None
Constraints
o Can only be called by owner.
o unlocked > 0
Events emit
o Withdraw
Output
None
• lockupAmountOf
Descrip on
Return the total lockup amount.
Visibility
External
Input parameters
o address _account
Constraints
None
Events emit
None
Output
o uint128 totalAmpount
o uint128 vestedPerInterval
• unlockedAmountOf
Descrip on
ti
ti
ti
ti
Return the unlocked amount.
Input parameters
o address _account
Constraints
None
Events emit
None
Output
o uint

HAPI.sol
Descrip on

HAPI contract for an ERC-20 token.

Imports

HAPI contract has the following imports:


• @openzeppelin/contracts/token/ERC20/ERC20.sol
• @openzeppelin/contracts/presets/ERC20PresetMinterPauser.sol
• ./interfaces/IHAPI.sol

Inheritance
HAPI contract is IHAPI, ERC20PresetMinterPauser.

Usages

None

Structs

None

Enums

HAPI contract has no custom enums.

Events

HAPI contract has no custom events

Modi ers
fi
ti
HAPI has the no custom modi ers.

Fields

HAPI contract has following constants:


• uint public constant override INITIAL_SUPPLY = 100000 *
DECIMAL_MULTIPLIER
• uint public constant override MAX_SUPPLY = 1000000 *
DECIMAL_MULTIPLIER
• uint constant private DECIMAL_MULTIPLIER = 10**18

Func ons

HAPI has following func ons:


• _mint
Descrip on
The token contract allows the owner or privileged users to mint tokens
to a speci c address
Visibility
Internal
Input parameters
o address account
o uint amount
Constraints
o totalSupply().add(amount) <= MAX_SUPPLY
Events emit
None
Output
None

HAPIBSC.sol
Descrip on

HAPIBSC contract for an BEP-20 token.

Imports
HAPIBSC contract has the following imports:
• @openzeppelin/contracts/token/ERC20/ERC20.sol
ti
ti
ti
fi
ti
fi
• @openzeppelin/contracts/presets/ERC20PresetMinterPauser.sol
• ./interfaces/IBEP20Ownable.sol
• ./interfaces/IHAPI.sol

Inheritance

HAPIBSC contract is IHAPI, IBEP20Ownable, ERC20PresetMinterPauser.

Usages

None

Structs

None
Enums

HAPIBSC contract has no custom enums.

Events

HAPIBSC contract has no custom events.

Modi ers

HAPIBSC has the no custom modi ers.

Fields

HAPIBSC contract has following constants:


• uint public constant override INITIAL_SUPPLY = 35000 *
DECIMAL_MULTIPLIER
• uint public constant override MAX_SUPPLY = 1000000 *
DECIMAL_MULTIPLIER
• uint constant private DECIMAL_MULTIPLIER = 10**18

Func ons

HAPIBSC has following public func ons:


• _mint
Descrip on
The token contract allows the owner or privileged users to mint tokens
to a speci c address
ti
fi
ti
fi
fi
ti
Visibility
Internal
Input parameters
o address account
o uint amount
Constraints
o totalSupply().add(amount) <= MAX_SUPPLY
Events emit
None
Output
None
• getOwner
Descrip on
Simple ge er func on.
ti
tt
ti
Audit overview
Critical

1. No cri cal issues were found.


High

1. No high severity issues were found.

Medium

1. No medium severity issues were found.

Low

1. Mul ple code style issues found by the sta c code analyzer.
ti
ti
ti
Conclusion
Smart contracts within the scope were manually reviewed and analyzed with
sta c analysis tools. For the contract, high-level descrip on of func onality was
presented in As-Is overview sec on of the report.

Audit report contains all found security vulnerabili es and other issues in the
reviewed code.

Security engineers found 1 low issue during the audit.

No ce: the HAPI contract contains no implemented hooks func onality. We


may not guarantee secureness of contracts a er those hooks will be
implemented.
ti
ti
ti
ti
ft
ti
ti
ti
Disclaimers
Hacken Disclaimer

The smart contracts given for audit have been analyzed in accordance with the
best industry prac ces at the date of this report, in rela on to cybersecurity
vulnerabili es and issues in smart contract source code, the details of which
are disclosed in this report (Source Code); the Source Code compila on,
deployment, and func onality (performing the intended func ons).

The audit makes no statements or warran es on security of the code. It also


cannot be considered as a su cient assessment regarding the u lity and safety
of the code, bugfree status or any other statements of the contract. While we
have done our best in conduc ng the analysis and producing this report, it is
important to note that you should not rely on this report only - we recommend
proceeding with several independent audits and a public bug bounty program
to ensure security of smart contracts.

Technical Disclaimer

Smart contracts are deployed and executed on blockchain pla orm. The
pla orm, its programming language, and other so ware related to the smart
contract can have its vulnerabili es that can lead to hacks. Thus, the audit can't
guarantee the explicit security of the audited smart contracts.
tf
ti
ti
ti
ffi
ti
ti
ti
ft
ti
ti
ti
tf
ti

You might also like