Smart Contract Security Audit For StarkDeFi’s Liquidity Locker

Score:
9.85 /10
Ecosystem:
StarkNet
Type:
DeFi
Background Image

Overview

In the constantly evolving domain of blockchain technology and DeFi, the necessity to secure and maintain the integrity of smart contracts is more critical than ever. StarkDeFi, a pioneer in the DeFi sector, understood the importance of this challenge and engaged Blaize, a leader in blockchain solutions and security audits, for their expertise.

Recognizing the significant responsibility of safeguarding their platform, StarkDeFi collaborated with Blaize, who are celebrated for their prowess in smart contract auditing, to conduct a thorough examination of their systems. This collaboration aimed not only to validate the functionality of these systems but also to fortify them against potential security threats.

As part of their commitment to security, Blaize undertook a security audit of StarkDeFi’s Liquidity Locker feature, which allows users to lock in liquidity with StarkDeFi. This functionality serves a dual purpose: it enables users to earn rewards and fosters community trust within the expansive networks of StarkNet and Ethereum.

This audit is part of an ongoing relationship between StarkDeFi and Blaize, marked by previous milestones such as an initial smart contract security audit and the development of a backend solution for StarkDeFi’s decentralized exchange. This ongoing partnership underscores both companies’’ dedication to advancing security and functionality in the DeFi ecosystem.

Services: Smart Contracts Audit
Technologies: Starknet Cairo

Task

During the auditing process for this project, we checked StarkDeFi’s Liquidity Locker smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

  • Access Management Hierarchy
  • Math operations
  • Transaction-ordering dependence
  • Public interface constraints
  • Denial-of-Service (DoS) attacks
  • Hidden backdoors
  • Storage issues (uninitialized, unused, etc) and incorrect local variable usage
  • Correctness of functions’ parameters
  • Upgradeability issues

and other potential Cairo vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) Our own internal security checklists, additionally verified during the testing stage. The team had the main focus on verifying the correctness of implemented lock mechanics, the safety of stored assets, and created lock management.

Smart Contract Overview

The part of the StarkDeFi’s Liquidity Locker smart contract we audited.

Smart Contract Overview Image

The StarkDefi Locker Contract is a Cairo-based smart contract designed for the StarkNet ecosystem. It provides a time-based locking mechanism for ERC20 and ERC721 (NFT) tokens. The primary functionality of the contract allows users to deposit tokens into a lock that will only allow withdrawal after a predefined period.

The main focus of the audit was on the locks system: locks creation, funds transferring, safety of locked assets, access management and roles system, and other related potentially vulnerable areas. That also includes fee system.The fee system in the StarkDefi Locker contract represents a mechanism that charges a fixed fee for utilizing the token locking function.

Features of the fee system:

– Fixed Price: The fee for locking tokens is set as a fixed amount and does not vary with the size of the lock or any other factors.

– Administrative Configuration: Fees are configurable by the contract administrator, who can modify the fee amount through dedicated functions.

– Fee Recipient Address: The contract allows the administrator to set an address where the collected fees are directed.

– Fee Disabling Option: The system offers the ability to disable fee collection.

Security Audit Procedure

Our audit processes encompassed manual and testing stages:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
  • Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
  • Business logic inspection;
  • Protocol decomposition and components analysis with building interaction schemes and sequence diagrams;
  • Storage usage review and gas optimization review;
  • Math operations and calculations analysis;
  • Access control and roles structure review;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Code quality, documentation, and consistency review.

Testing Stage

Development of edge cases based on manual stage results for false positives validation;

  • Development of edge cases based on manual stage results;
  • False positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;

Upon completion of the audit, we delivered a comprehensive security audit report to the StarkDeFi team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Audit Result

Blaize Security team conducted the audit of the StarkDefi Locker contract, a key part of the StarkDefi project offering DeFi services on StarkNet. The Cairo contract (for the StarkNet chain) enables user-initiated token locks for both ERC20 and ERC721 tokens and features a fixed fee collection system. Its design includes an upgradeability function that ensures future adaptability and mechanisms to retrieve tokens sent to the contract by accident. Also, the contract integrates OpenZeppelin’s secure and tested contracts for Cairo.

Audit Result Image

StarkDeFi’s overall audit security score stands at an impressive 9.85 out of 10. It is well-documented, facilitating understanding and interaction with the contract’s features. However, auditors need to mention that no native tests were presented for the Locker functionality. Nevertheless, StarkDefi’s proactive stance on addressing audit findings underscores its commitment to providing secure and operational DeFi services. This approach solidifies user confidence and underlines the continuous evolution and maturity of the protocol.

Score:
9.85 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.