Smart Contract Security Audit For Jibrel

Score:
9.5 /10
Ecosystem:
Ethereum
Type:
DeFi
Background Image

Overview

Jibrel is an open-source web3 development company. Jibrel provides tokenized financial assets on the Ethereum blockchain. This list includes such equities as currencies, bounds, and commodities of different kinds.

Services: Smart Contracts Audit
Technologies: Ethereum Solidity

Task

The main task was to conduct a smart contract security audit and code review supported by Blaize engineers technical expertise. We have to provide two separate documents:

  1. the first document was concentrated on the recommendations for improving the code architecture and project structure due to our technical expertise in smart contracts development approaches;
  2. the second document represents the security audit report listing Tranche contract vulnerabilities and bugs according to the automated and manual testing results.

The technical task requires analysis with automatic tools together with a manual code review of the whole smart contracts’ set. In addition, we had to arrange a list of the main possible attacks and vulnerabilities the contract may suffer according to the project’s purposes.

The list of smart contract vulnerabilities that have been taken into account during the Jibrel code audit (the review includes them, but not limited to those):

  • Unsafe type inference;
  • Timestamp Dependence;
  • Reentrancy;
  • Implicit visibility level;
  • Gas Limit and Loops;
  • Transaction-Ordering Dependence;
  • Unchecked external call;
  • Unchecked math;
  • DoS with Block Gas Limit;
  • DoS with (unexpected) Throw;
  • Byte array vulnerabilities;
  • Malicious libraries;
  • Style guide violation;
  • ERC20 API violation;
  • Uninitialized state/storage/local variables;
  • Compile version not fixed.

The Blaize team of auditors always checks for novel types and variations of attacks additionally, in order to ensure that our client’s contracts are protected from all possible vulnerabilities. The whole list of possible attacks can be found in SWC Registry.

Blaize was involved in a smart contract security audit of one of Jibrel’s upcoming projects Tranche.finance. Tranche is a decentralized finance protocol that allows users to create different risk profiles from DeFi cash-flow. Users can borrow or lend funds, as well as use the loan smart contracts to create new assets with different pay-out schedules.

The smart contract audit along with code review was needed to ensure the secure work of Tranche protocol after its launch on mainnet in 1Q of 2021.

Smart Contract Security Audit Procedure

Blaize has an established security audit procedure. It includes following steps:

Comprehensive Security Audit

  • Check the consistency whether the contract corresponds to the documentation;
  • Checks against the standard list of vulnerabilities we have mentioned above;
  • Static analysis by automated tools;
  • Manual code and code quality review;
  • Gas usage analysis;
  • Unit tests coverage check;
  • Security analysis report delivery
  • Post-audit fixes review

At the beginning of every audit, we evaluate the consistency between the contracts’ work and claimed functionality in the project whitepaper and supported docs. We also evaluate the contracts’ business logic and propose the scope of work for security testing.

We conduct two levels of security testing for the Tranche protocol: firstly we prepare an automated analysis with the following manual code review made by our blockchain smart contract auditors.

Automated Tools Analysis

  • Automated code analysis implies using different open-source software for bug detection. In the case of Jibrel smart contract audit, we used Mythril, Solhint, Slither, and Smartdec. We often conduct several testing processes in parallel to ensure the best bug verification.
  • Automate testing helped to define which part is responsible for each input execution and showed the possible places for bugs occuring. The automated analysis was followed by the manual testing of all issues found by tools.

Manual Code Review

  • The manual code analysis implies a thorough examination of each code line by an auditor. Manual testing is needed to analyze the previously found vulnerabilities and check and operational work of smart contracts in general.
  • Manual code examination is highly recommended for an exploratory check of vulnerabilities hidden not in a code itself, but in contract logic or architecture. This type of verification is based on auditor expertise and experience with complex smart contracts’ systems.

Gas Usage Analysis

  • The full Tranche smart contracts’ set was audited. The auditors’ team came to the conclusion that as of now there is no need for additional code changes to further optimize the code.

Unit Test Coverage

  • During smart contract security audits, we have taken into account the Tranche contracts’ unit tests and have provided an analysis of them.
  • The auditors’ team concluded that test implementation is performed in a non-standard approach and does not allow to perform a classic automatic checking of it. That is why we needed to perform the manual unit tests’ coverage review.
  • After this examination we can claim that the contracts’ unit test coverage is sufficient and can be successfully run.

Security Analysis Report

In the end, we have provided Jibrel with two reports: smart contracts’ audit and technical expertise. The documents contain all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.

Security Analysis Report Image

Post-audit Review

The report contained all necessary information related to the found vulnerabilities and provided the client with a thorough guideline for their elimination. The client performed all needed improvements and fixed the full list of vulnerabilities according to the auditor’s recommendations.

Post-audit Review Image

Audit Result

We have scanned this project for common development practices. Here are some reviews we conducted (the full list includes them but is not limited to):

  • General code review
  • Developer tools usage review
  • Test coverage review
  • Storage variables usage analysis
  • Dependency review
  • Gas cost analysis

As a result, no critical issues were found. But the team has found some high-level and medium-level issues during the analysis as well as some obfuscations in unit tests coverage.

Audit Result Image

After receiving the report the client conducted all needed fixes. Though, issues of all risk levels were resolved or mitigated. Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Tranche.finance can be evaluated as Highly Secure, 95 out of 100.

Score:
9.5 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.