Securing DAO infrastructure is a complex activity requiring deep expertise and hard work. Hacken’s cooperation with Hedgey proves our experience securing DAO infrastructure builders.
Hedgey is the DAO infrastructure builder. The project creates financial solutions for DAO treasuries to help them diversify assets, alleviate contributor sell pressure, and partner with other teams through DAO-to-DAO swaps. Hedgey develops protocols for DAOs to execute specific token operations from their treasury. Namely, Hedgey develops smart contracts to simplify these interactions and creates UIs and dApps for easy interfacing with the protocols, as well as detailed documentation for direct interaction with its smart contracts through any multi-sig or other DAO governance protocols.
The products developed by Hedgey streamline token operations for treasuries such as DAO-to-DAO token swaps, locked token sales, distribution to investors, and locked token compensation for stakeholders.
Hedgey & Hacken
Cybersecurity in Hedgey before reaching Hacken
Hedgey has not been involved in any cybersecurity incidents since its launch in June 2021. Before reaching Hacken in November 2021, Hedgey had not cooperated with any security vendor thereby relying solely on the expertise of its own security staff.
Initial contact with Hacken
Hedgey team reached Hacken in the middle of November 2021 with the audit request. At that time, the guys were in a timeline crunch and thereby demanded not only a high-quality but also a very time-efficient service.
First smart contract audit of Hedgey
1 week following the initial contact, our team started the first audit for Hedgey covering trading tools. As a result of the audit, we detected 1 high, 4 medium, and 7 low severity issues. After the second review, there remained 1 medium and 3 low severity flaws.
Based on the recommendations provided by Hacken, the Hedgey team addressed the syntax error and the lock Ether bugs attributable to the two contracts: HedgeyCeloCalls.sol and HedgeyCeloPuts.sol. These contracts had a payable function but did not have a withdrawal capacity. During this first contact, the client demonstrated a high level of accountability by paying attention to all suggestions shared by Hacken.
Between 7 and 27 January 2022, our specialists performed the second audit for Hedgey covering the ERC721 token and the Exchange. As a result of the audit, we found 1 medium and 2 low-severity issues. After the second review, there remained only 1 medium-severity flaw.
The medium issue was attributable to no tests provided. Generally, all non-trivial contracts should be covered with tests. The main logic contracts coverage should equal 100%.
The third audit of Hedgey was done in March 2022 and covered the ERC721 token and OTC exchange contracts. Our specialists found 1 medium and 9 low severity issues. Since the customer did not provide functional and technical requirements and its code and architecture quality required major improvements, the final audit score given to Hedgey was 6.6 out of 10.
The medium severity issue was attributable to the use of “transfer()” function to send ether to the address. Instead, Hedgey should have used the “to.transfer(_amt)” construction.
Within 10 days following the third audit, the client managed to fix all issues except 1 low severity flaw as well as provided technical and functional requirements, and improved the code and architecture quality subject to the guidelines shared by Hacken.
The fourth audit of Hedgey was performed in July 2022 and covered the ETC721 token. This audit revealed major issues attributable to access control and authorization, block values as a proxy for time, environment consistency, and test coverage.
Our specialists detected 3 high severity issues including funds lock and access control violation. In the former case, the contract accepted the native coins but there was no possibility to withdraw them. In the latter case, the “updateBaseURI” function was not protected and could be callable by anyone. Also, we detected requirements violations. The medium severity bug was attributable to failing tests.
Hedgey’s specialists followed all recommendations provided by Hacken and after the third review, there were no issues left in the contract, and all bugs were fixed.
The last audit of Hedgey took place in September 2022 and covered the swap functionality. Hedgey’s Swap got the highest possible audit score – 10 out of 10. Our specialists detected only 1 minor low-severity flaw. Namely, the contract used block value “block.timestamp” as a proxy for time calculations although it would be safer to use oracles to this end.
Hedgey’s attitude to the workflow
The Hedgey’s representatives who have been interacting with Hacken demonstrate an extremely high level of responsibility. They consider all feedback shared by our engineers and timely introduce fixes to eliminate security flaws found in smart contracts. The great indicators of the effective workflow established between Hedgey and Hacken are the 4th and 5th audits during which Hedgey’s team managed to get the highest security score.
Thus, through cooperation with Hacken, Hedgey’s specialists have gained valuable expertise and knowledge on how to build secure products for end-users. We are pleased to note that Hedgey’s attitude to the workflow allows us to call this project an “ideal client”.
Cybersecurity demands of DAO infrastructure projects
Hedgey’s decision to work with the cybersecurity vendor is the indicator of demand for building secure infrastructure from the side of DAOs. The audits performed by Hacken for Hedgey reveal just some of the security flaws affecting DAOs.
The main challenge experienced by the majority of DAOs is the failure to secure the code underlying their smart contract systems before and after they go online. DAOs are concerned about securing their ecosystems against flash loan attacks during which bad actors obtain unsecured loans from a third party and buy a huge volume of tokens to benefit from the rising prices. A deeper problem is the use of flash loans by bad actors to obtain voting power in DAOs through which they can drain funds into their wallets.
DAOs are also vulnerable to issues in their governance rules resulting in bad actors obtaining sensitive information. DAOs should also focus on preventing access control issues and ensuring that all requirements are properly followed at the phase of execution. DAOs also need to have algorithms in place to prevent themselves from collapsing in case a bad actor unethically assumes the majority voting power. DAOs need to be resilient to both external and insider threats. And the fundamental requirement put by the stakeholders to DAOs is transparency. Only by setting and following transparency rules DAOs win users’ trust.
Securing DAO infrastructure is a complex activity requiring deep expertise and hard work. We are pleased to note that cooperation with Hedgey is a great lesson for us on how to make DAO infrastructure a secure place for crypto industry development.
Want to improve your security?
share via social
Subscribe to our research
Enter your email address to subscribe to Hacken Reseach and receive
notifications of new posts by email
Soul Society, a Web3 social service and our latest client, has recently embraced the innovative concept of Growth-Type Soul-Bound Tokens (SBTs). These tokens are a unique blend of technology and user engagement, allowing people to participate in various activities and acquire rewards and SBTs that define their digital identities. Each user can own multiple SBTs,