Smart Contract Security Audit For BrainStarter

Score:
9.73 /10
Ecosystem:
Polygon Solidity
Type:
RWA Tokenization
Background Image

Overview

BrainStarter introduces new quality standards into the RWA space and transforms the tokenization processes for both web2 and web3 spheres. In this way, the platform offers Down-To-Earth quality powered by new technologies and BrainStarter’s unique approach.

The company offers a comprehensive suite of services, including intellectual property protection, supervision of token launch, and advice around different aspects of the tokenization processes, including legal and marketing sides. Of course, it provides a decentralized platform for RWA tokenization. Thus, the platform offers a Down-To-Earth launchpad ready to support tokenization projects with all aspects necessary for a successful launch.

Services: Smart Contract Security Audit
Technologies: Polygon

Task

During the auditing process for this project, we checked BrainStarter smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

  • Storage structure and data modification flow
  • Access control structure, roles existing in the system
  • Public interface and restrictions based on the roles system
  • Order-dependency and time-dependency of operations
  • Validation of function parameters, inputs validation
  • Asset Security (backdoors connected to underlying assets)
  • Incorrect minting, initial supply or other conditions for assets issuance
  • Denial-of-Service (DoS) attacks
  • General code structure checks and correspondence to best practices
  • Upgradeability issues

and others potential Solidity vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) Our own internal security checklists, additionally verified during the testing stage. The team had the main focus on verifying the security of stored assets – liquid and illiquid stakes, internal Brain and Dopamine tokens. Thus we provided extra checks on correct flows around all valuable assets and math around their balances.

Interaction Flow

The part of BrainStarter smart contract we audited

Interaction Flow Image

During the audit, we examined the security of smart contracts for the BrainStarter protocol. The audit scope included 7 separate smart contracts developed by the BrainStarter team. The protocol features a system for managing $BRAINS tokens, allowing users to stake tokens and receive either liquid or illiquid NFTs based on staking thresholds. Liquid stakes are transferable, while illiquid stakes remain locked and non-transferable. The audit also covered the mechanisms for token minting, burning, and fee calculations, ensuring that the protocol’s logic is secure and functions as intended.


Our task was to find and describe any security issues in the smart contracts of the platform. Thus, the security team provided the decomposition of the protocol, checked the integrity of the business logic, funds flow, access control system, and user flow, and analyzed a set of edge cases. The team also checked the system against several checklists (including all standard vulnerabilities) and conducted an intensive testing stage.

Security Audit Procedure

Blaize. Security auditors start the audit by developing an auditing strategy - an individual plan where the team plans methods, techniques, and approaches for the audited components. That includes a list of activities:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
  • Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
  • Business logic inspection for potential loopholes, deadlocks, backdoors;
  • Math operations and calculations analysis, formula modeling;
  • Access control review, roles structure, analysis of user and admin capabilities and behavior;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Vulnerabilities analysis against several checklists, including internal Blaze. Security checklist;
  • Storage usage review;
  • Gas (or tx weight or cross-contract calls or another analog) optimization;
  • Code quality, documentation, and consistency review.

Testing Stage

  • Development of edge cases based on manual stage results for false positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Fuzzy and mutation tests (by request or necessity);
  • End-to-end testing of complex systems.

Upon completion of the audit, we delivered a comprehensive security audit report to the Blockus team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Audit Result

The security team concluded that the audited components implement a high security standard. The code is of the highest quality, has great natspec documentation, and follows best practices. Auditors also noted a good set of native tests and a good approach to change testing. The protocol implements necessary security measures.

During the audit, Blaize’s security team identified a total of 15 security issues: 3 critical issues, 1 high-risk issue, 1 issue of medium severity, 4 issues of low severity, and 6 issues connected to substandard or ambiguous behavior. Issues mainly were connected to incorrect storage handling, missed edge-cases, and affected calculation of the staked tokens. Based on Blaize’s comprehensive recommendations and detailed audit report, the BrainStarter team promptly addressed and resolved all identified issues with a comprehensive description of the desired business logic. The team proactively verified all substandard business logic decisions and implemented all offered recommendations.

Audit Result Image

Audit Result

The security team noted several risks to which the platform is exposed: standard risks connected to burnable tokens, risks brought by utilization of ERC-2612 signatures, risks from the upgradeability of smart contracts, and centralized control over internal utility tokens. While all these features are standard in web3, they all have certain connected risks. The BrainStarter team is aware of all of them and is ready for any potential circumstances.

Audit Result Image

Based on the prompt resolution of all identified issues and resolution of potential risks, the security team granted BrainStarter a high audit security score of 9.73 out of 10. This score reflects BrainStarter’s commitment to maintaining the highest quality of their codebase and conforming with best practices accepted in the web3 field.

Score:
9.73 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.