Smart Contract Security Audit For AUT Token Suite by Aut Labs

From Decentralized Identities to Reputation Mining

Score:
10 /10
Ecosystem:
Ethereum
Type:
DeSoc Platform DID
Background Image

Overview

Aut Labs creates a DeSoc platform with a suite of tools designed for Web3 communities, enabling users to create self-sovereign, portable identities based on their skills and contributions rather than personal data. The platform emphasizes reputation mining, allowing users to build and showcase their reputation within the Web3 ecosystem through verifiable contributions and achievements. The platform provides Decentralized Identities (DID) for users, thus making a rapid onboard into DAOs and creating a connected network of users’ identities and their onchain interactions. The platform implements a concept of Collective Autonomy, making it easier for users to join communities, complete tasks, and build their reputation.

The audit’s focus was $AUT token – the token for the Collaboration Economy. It is a reputation-based token designed to power a social economy and designated for Web3 value-contributors committed to their Hubs based on roles, availability and efforts. Therefore contributors are rewarded based on their participation in dapps, protocols, P2P interactions – based on the measurable value that they bring to each of their decentralized projects and communities.

Services: Smart Contract Audit
Technologies: Solidity

Task

During the auditing process for this project, we checked the AUT token suite smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

  • Storage structure and data modification flow
  • Access control structure, roles existing in the system
  • Public interface and restrictions based on the roles system
  • Order-dependency and time-dependency of operations
  • Validation of function parameters, inputs validation
  • Asset Security (backdoors connected to underlying assets)
  • Incorrect minting, initial supply or other conditions for assets issuance
  • Denial-of-Service (DoS) attacks
  • General code structure checks and correspondence to best practices
  • Correct implementation of standards

and others potential Solidity vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) The team paid special attention to:

  • ERC20 implementation
  • correctness of tokens distribution and risks connected to it
  • correctness of funds flow during vestings and correctness of the release schedule
  • deployment flow

And other aspects which may bring risks to the platform. The team analyzed the business logic of the platform, thoroughly testing each stage of the funds flow.

Interaction Flow

The vesting module of the AUT token suite that we audited.

Interaction Flow Image

The Blaize Security team reviewed the AUT token suite for the Aut Labs. The scope included contracts connected to the AUT token, vesting, and initial token distribution. Initially, the scope included contracts for reputation mining, though they were moved to the next audit iteration after a couple of audit rounds - thus, the security team focused purely on the token and token periphery.

Our task was to review the AUT token, check its correspondence to the ERC20 standard, and find and describe any security issues in the smart contracts regulating the funds' distribution. Thus, the security team provided the decomposition of vesting and distribution logic, as well as funds flow in general, and analyzed a set of edge cases (especially connected to the access control logic). The team also checked the system against several checklists (including all standard vulnerabilities) and conducted an intensive testing stage.

Security Audit Procedure

Blaize. Security auditors start the audit by developing an auditing strategy - an individual plan where the team plans methods, techniques, and approaches for the audited components. That includes a list of activities:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
  • Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
  • Business logic inspection for potential loopholes, deadlocks, backdoors;
  • Math operations and calculations analysis, formula modeling;
  • Access control review, roles structure, analysis of user and admin capabilities and behavior;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Vulnerabilities analysis against several checklists, including internal Blaze. Security checklist;
  • Storage usage review;
  • Gas (or tx weight or cross-contract calls or another analog) optimization;
  • Code quality, documentation, and consistency review.

Testing Stage

  • Development of edge cases based on manual stage results for false positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Fuzzy and mutation tests (by request or necessity);
  • End-to-end testing of complex systems.

Upon completion of the audit, we delivered a comprehensive security audit report to the Aut Labs team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Audit Result

The security team noted the high quality of the code, good natspec comments, availability of the protocol documentation, and good approach to the deployment. The protocol implements solid development practices.

 

During the audit, Blaize’s security team discovered several issues in the core logic of the platform (connected conditional token and reputation mining) thus, several contracts were excluded from the scope and moved to the next iteration. As for the token suite in the scope we identified a total of 5 issues: 2 low-risk issues connected to the missed validations and optimization, and 3 issues connected to substandard or ambiguous behavior. The team rapidly provided all requested patches to close the issues. However, the security team noted several points worth of monitoring: correct deployment parameters, curation of the token distribution, monitoring of token balances on contracts, and replenishing of the token balances. The security team also recommends intensifying the testing approach and increasing the unit test coverage up to the industry standard.

Audit Result Image

The Aut Labs team has resolved all the issues presented by auditors and is aware of the risks raised; thus, part of the contracts have been moved to a separate audit iteration. The token suite codebase has high quality, and although there are few points worth of monitoring, the security team marked the AUT token suite as secure with an audit security score of 10 out of 10.

Score:
10 /10
Rate Background
Audit Report

Access the complete security audit report

Detailed Report

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.