Smart Contract Security Audit For Private Pools Network

Smart Contract Security for DeFi: Ensuring Safe Integrations

Score:

9.9 /10

Ecosystem:

BNB Chain

Type:

DeFi Smart Contracts Audit

Overview

Private Pools Network is a protocol developing innovative solutions for liquidity providers, allowing them to capitalize on market volatility to achieve stable, long-term returns with enhanced security.

PrivatePools Network extends their protocol by introducing two new smart contracts: Zapper and RewardsCompounder. Both contracts serve a role of a router where users can exchange their tokens through 1Inch or 0x protocols and join a pool with exchanged tokens in one transaction.

Zapper is a smart contract which allows users to join the pool with a certain asset. Users are able to specify a pool and a list of assets to join with as well as source token and its amount. The core functions, zap1inch() and zap0x(), exchange a source token into several destination tokens using either 1Inch or 0x and then join the specified pool of the Private Pool. Upon zapping, a smart contract takes a certain fee for its service.

RewardsCompounder is a smart contract for compounding reward assets into several pool assets and joining a weighted pool. The core functions, compound1inch() and compound0x(), allow the msg.sender to specify a list of reward tokens which will be exchanged into destination tokens (using either 1Inch or 0x) and join the weighted pool with destination token.

Services: Smart Contract Audit

Technologies: Solidity

Task

During the auditing process for this project, we checked PrivatePools Network smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

Storage structure and data modification flow
Access control structure, roles existing in the system
Public interface and restrictions based on the roles system
Denial-of-Service (DoS) attacks
Entropy illusion (Lack of randomness)
Order-dependency and time-dependency of operations
Validation of function parameters, inputs validation
Asset management, funds flow and asset conversions
Asset Security (backdoors connected to underlying assets)
Signatures reply and multisig schemes security
Incorrect minting, initial supply or other conditions for assets issuance
General code structure checks and correspondence to best practices
Upgradeability issues

and others potential Solidity vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) And other aspects which may bring risks. Our own internal security checklists, additionally verified during the testing stage.

Interaction Flow

The part of protocol we audited

During the audit, we examined the security of the smart contracts for the Private Pools Network zapper protocol. Our task was to identify and describe any security issues within the platform’s smart contracts. Blaize.Security conducted an in-depth audit of the Private Pools Network smart contracts. The contracts implement a Zapper and RewardsCompound smart contracts built on top of 1Inch and 0x exchanges as well as PrivatePool Vault.

Security Audit Procedure

Blaize. Security auditors start the audit by developing an auditing strategy - an individual plan where the team plans methods, techniques, and approaches for the audited components. That includes a list of activities:

Manual Audit Stage

Manual line-by-line code by at least 2 security auditors with cross checks and validation from the security lead;
Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
Business logic inspection for potential loopholes, deadlocks, backdoors;
Math operations and calculations analysis, formula modeling;
Access control review, roles structure, analysis of user and admin capabilities and behavior;
Review of dependencies, 3rd parties, and integrations;
Review with automated tools and static analysis;
Vulnerabilities analysis against several checklists, including internal Blaze. Security checklist;
Storage usage review;
Gas (or tx weight or cross-contract calls or another analog) optimization;
Code quality, documentation, and consistency review.

Testing Stage

Development of edge cases based on manual stage results for false positives validation;
Integration tests for checking connections with 3rd parties;
Manual exploratory tests over the locally deployed protocol;
Checking the existing set of tests and performing additional unit testing;
Fuzzy and mutation tests (by request or necessity);
End-to-end testing of complex systems.

Upon completion of the audit, we delivered a comprehensive security audit report to the Private Pools Network team. This report included:

Identified risks
Potential mitigations
Detailed vulnerability assessments
Recommendations for improvements

Audit Result

The security team handled main focus on the integration of 3rd-part protocols and Vault – as the protocol’s main purpose is exchange tokens and add liquidity to the Vault. Auditors verified the integrity of swap flow, security of funds and Vault integration. The Private Pools Network team resolved or verified all of the issues.

The security team currently evaluates the project as Secure. The code is well-written, integrates exchanges and Vault correctly. During the audit, the security teams ensured the integration of the protocol and safety of funds exchange through the smart contracts.

Score:

9.9 /10

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals. Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.

[email protected]