Nate

[GoodHut]

https://github.com/Bostock133/eagles-dominance

[GoodHut]

rt Table of ContentsSummaryOverviewProject SummaryAudit SummaryVulnerability SummaryAudit ScopeFindingsGLOBAL-01 : Lack of Input ValidationLNP-01 : Centralization RiskLNP-02 : Missing emit eventsLNP-03 : Candy Balance Update IssueLNP-04 : Incompatibility With Deflationary TokensLNP-05 : Potential Reentrancy AttackLNP-06 : Unchecked Value of ERC-20transfer()CallLNP-07 : Potential Integer UnderflowLNP-08 : Missing Check the Existing PoolLNP-09 : Potential Loss of Pool RewardsNPP-01 : Centralization RiskNPP-02 : Missing emit eventsNPP-03 : Lack of Input ValidationNPP-04 : Candy Balance Update IssueNPP-05 : Incompatibility With Deflationary TokensNPP-06 : Potential Reentrancy AttackNPP-07 : Unchecked Value of ERC-20transfer()CallNPP-08 : Arbitrage on reward tokenNPP-09 : The value ofcandyPerBlockPerLpAppendixDisclaimerAboutNabox Security Assessment SummaryThis report has been prepared for Nabox to discover issues and vulnerabilities in the source code of theNabox project as well as any contract dependencies that were not part of an officially recognized library. Acomprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques.The auditing process pays special attention to the following considerations:Testing the smart contracts against both common and uncommon attack vectors.Assessing the codebase to ensure compliance with current best practices and industry standards.Ensuring contract logic meets the specifications and intentions of the client.Cross referencing contract structure and implementation against similar smart contracts producedby industry leaders.Thorough line-by-line manual review of the entire codebase by industry experts.The security assessment resulted in findings that ranged from critical to informational. We recommendaddressing these findings to ensure a high level of security standards and industry practices. We suggestrecommendations that could better serve the project from the security perspective:Enhance general coding practices for better structures of source codes;Add enough unit tests to cover the possible use cases;Provide more comments per each function for readability, especially contracts that are verified inpublic;Provide more transparency on privileged activities once the protocol is live.Nabox Security Assessment OverviewProject SummaryProject Name NaboxPlatform ethereumLanguage SolidityCodebase https://github.com/naboxwallet/contracts/tree/mainCommit 28be1df5cc1c6f72c286e18d847a4414c0f5d3b3b021e26adc4ceb8f4e8682558224445b088c1d4dAudit SummaryDelivery Date Dec 03, 2021Audit Methodology Static Analysis, Manual ReviewKey ComponentsVulnerability SummaryVulnerability Level Total Pending Declined Acknowledged Partially Resolved ResolvedCritical 1 0 0 0 1 0Major 3 0 0 2 0 1Medium 1 0 0 1 0 0Minor 8 0 0 3 0 5Informational 6 0 0 4 0 2Discussion 0 0 0 0 0 0Nabox Security Assessment Audit ScopeID File SHA256 ChecksumLNP LockedNaboxPool.sol 9e7ba6d58a2625f7572325d17a2bca053b6a603bffe7dba7f97074eddd9612eaNPP NaboxPool.sol c21f1c102665ab5300c6e4f01b921fbd58ab3178a6a6bf831b3ad511072fa72aNabox Security Assessment FindingsID Title Category Severity StatusGLOBAL-01 Lack of Input Validation Volatile Code Minor ResolvedLNP-01 Centralization Risk Centralization /PrivilegeMajor AcknowledgedLNP-02 Missing emit events Coding Style Informational ResolvedLNP-03 Candy Balance Update Issue Logical Issue Informational AcknowledgedLNP-04 Incompatibility With DeflationaryTokensVolatile Code Minor AcknowledgedLNP-05 Potential Reentrancy Attack Logical Issue Minor ResolvedLNP-06 Unchecked Value of ERC-20transfer() Call Volatile Code Minor ResolvedLNP-07 Potential Integer Underflow MathematicalOperationsMajor ResolvedLNP-08 Missing Check the Existing Pool Logical Issue Informational AcknowledgedLNP-09 Potential Loss of Pool Rewards Logical Issue Medium AcknowledgedNPP-01 Centralization Risk Centralization /PrivilegeMajor AcknowledgedNPP-02 Missing emit events Coding Style Informational ResolvedNPP-03 Lack of Input Validation Volatile Code Minor AcknowledgedNabox Security Assessment19Total IssuesCritical 1 (5.26%)Major 3 (15.79%)Medium 1 (5.26%)Minor 8 (42.11%)Informational 6 (31.58%)Discussion 0 (0.00%) ID Title Category Severity StatusNPP-04 Candy Balance Update Issue Logical Issue Informational AcknowledgedNPP-05 Incompatibility With DeflationaryTokensVolatile Code Minor AcknowledgedNPP-06 Potential Reentrancy Attack Logical Issue Minor ResolvedNPP-07 Unchecked Value of ERC-20transfer() Call Volatile Code Minor ResolvedNPP-08 Arbitrage on reward token Logical Issue Critical Partially ResolvedNPP-09 The value of candyPerBlockPerLp Volatile Code Informational AcknowledgedNabox Security Assessment GLOBAL-01 | Lack of Input ValidationCategory Severity Location StatusVolatile Code Minor Global ResolvedDescriptionThe given input parameter _pid should be checked to avoid index overflow.RecommendationConsider adding a check for _pid . As bellow:requirerequire((_pid_pid << poolInfopoolInfo..lengthlength,, "invalid pool id""invalid pool id"));;AlleviationThe development team heeded our advice and resolved this issue in commitb021e26adc4ceb8f4e8682558224445b088c1d4d.Nabox Security Assessment View