Auditing Sweat Wallet’s Growth Jar Contract: A Case Study
Hacken audited Sweat Wallet’s Growth Jar contract. Here’s the overview of the final audit score and key findings.
🇺🇦 Hacken stands with Ukraine!Learn more
Our client SingularityDAO (SDAO) is a decentralized Portfolio Management Protocol with a mission of redefining crypto asset management. The protocol has a vision of an ecosystem where anybody can safely and easily manage crypto assets. Their motto is “Smart money, on-chain,” and they seek to provide superior risk management and analytics tools.
The core offering of SingularityDAO are these five products:
For our client SingularityDAO, decentralization is the top priority. They aim to create a decentralized experience, and most of their functions support the goal. They are not afraid to experiment with contracts’ functionality to devise the best way to achieve reliable and scalable decentralization. Hence, the need to ensure the utmost security of their implementations.
We’ve been providing Web3 cybersecurity services to SingularityDAO for almost two years now. The first deal was back in early 2021. Over the course of 2 years, Hacken provided a range of penetration testing services and smart contract audits:
We started really small and expanded the range of services. At first, SingularityDAO requested cybersecurity assessments. Eventually, they started entrusting us with more complex and crucial contracts, such as contracts for the LP tokens system and airdrop. We moved to core contracts by delivering high-quality audits and earning SingularityDAO’s trust.
“Hacken provided in-depth security audits for SingularityDAO and our users. They never compromise on high-security standards and they provide highly professional service with great attention to detail. They always provide timely responses, even during stressful times.”Antonie Roche, PM at SingularityDAO
Earning the trust of someone like SingularityDAO is not a small feat since they are keeping their standards unapologetically high.
SingularityDAO requested Hacken’s services because they wanted to ensure the reliability and security of the core functionality that enables decentralization.
SDAO is a major project with more than $18 million in market cap. Its large community has strict speed expectations. At Hacken, we pay attention to the environment in which our clients operate. For that reason, we offered a priority queue, which has been quite beneficial to our client. Sridhar Kolapalli, SingularityDAO’s CTO with 19+ years of professional experience, revealed that the priority queue was definitely a huge plus when SingularityDAO selected Hacken among multiple players they have shortlisted.
We have reviewed a large number of SingularityDAO’s smart contracts. In all cases, we assessed them as well-secured because SingularityDAO fixed all found bugs. Let’s review some of the most interesting weaknesses we have detected.
Critical issues are usually straightforward to exploit and can lead to asset loss or data manipulations. Their track record has been near perfect. The only time we came across critical issues was during the audit of the most complex contracts in DynasetForge for the LP tokens system. That audit alone included 24 contracts. We found a Denial of Service Vulnerability in getPrice(). The flawed logic hindered the normal functioning of price oracles. In particular, the value condition always returned false, and the contract could update prices from fallback oracles. We left our recommendations, and the client quickly fixed the issues in the next commit.
These issues are difficult to exploit but significantly impact smart contract execution. High-severity issues have been extremely rare in SingularityDAO audits. The most notable case was unsecure oracle usage in UsdcOracle. It was impossible to pause oracles, which could lead to an attack if the oracle got compromised. After our recommendation, the client added the ability to pause oracles and fixed the issue.
Throughout the years, we found only four medium vulnerabilities. In perspective, medium-level vulnerabilities cannot lead to asset loss or data manipulations but are important to fix. The ForgeV1 contract had state variables changed after the external calls, which could lead to re-entrants and race conditions. We recommended implementing the code according to the Checks-Effects-Interaction pattern or using a non-reentrant modifier. The client fixed the issue.
Low-level vulnerabilities are mostly related to outdated, unused code snippets that cannot significantly impact execution. In their case, low-level issues were: boolean equality, misleading variable names, redundant functionality, and imports, never used libraries, outdated and floating pragma, etc. Hacken’s remediation check confirmed that SingularityDAO fixed or mitigated them.
Both companies have a clear understanding that nothing is for granted. So how do we improve ourselves?
At Hacken, we are avid supporters of continuous improvement. Therefore, we actively gather feedback from our clients. In this case, the team of SingularityDAO was kind enough to suggest several enhancement points to improve our services. Firstly, there might have been some “unnecessary back and forth at the remediation stage.” While the initial audit was timely, remediation may have taken longer than expected. We actively review our processes to make remediations more to the point without losing quality. Secondly, all communication was centralized, which may have affected the ease of interaction between teams. When the scope of cybersecurity services is so complex, it’s more sensible to use dedicated communication channels for each problem.
Furthermore, Hacken should collaborate closely with clients to stay on the same page regarding significant changes to audit methodology.
On their side, the SingularityDAO team is working on enhancing the process of setting audit requirements. Their CTO Sridhar Kolapalli told us they put much effort into creating standardized audit requirements. In particular, SingularityDAO adopted a practice of preparing detailed functional audit requirements, including complete information about the contract, link, commit, list of contracts, tests, and extensive technical description of the contract.
SingularityDAO is also very attentive to Hacken’s auditors’ feedback. We worked with many contracts and dependencies on a one-by-one basis. At some point, we realized that applying a whole-system approach is better. Therefore, we suggested checking the whole repository to account for the dependencies. SingularityDAO understood why it was essential and agreed to our suggestion. Another suggestion from us related to an environment for smart contract development. The client has traditionally relied on Truffle Suite but also considered the benefits of the Hardhat tooling.
Being on the same page with the client regarding requirements, community expectations, delivery times, communication, and developing frameworks is paramount for fruitful cooperation. In less than two years, Hacken and SingularityDAO have achieved a lot. At Hacken, we expanded and established ourselves as a leading auditor and strengthened the state of Web3 cybersecurity. On their side, SingularityDAO stayed true to their original promise and accomplished the decentralization of two of their DynaSets. We are improving our processes and standards together. And we are delighted to know that there is much more to come.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email[contact-form-7 id="8165" title="Subscribe"]