The audit report summarizes an audit of the smart contracts for Strips Finance. The auditors identified 6 issues total, including 1 high severity vulnerability allowing improved logic, 3 medium severity issues around reentrancy, price calculations and admin keys, and 1 low severity possible reentrancy. The report provides detailed descriptions of each issue and their statuses.
PROCESS ENGINEERING AND AI SALES PREDICTION: THE CASE STUDY OF AN ITALIAN SMA...IJDKP
The paper describes the case study of a production process engineering applied to a company working in the textile sector and upgraded by digital technologies. The process engineering is performed by means the Business Process Modelling Notation (BPMN) approach. The new engineered processes are enabled by adopting a software platform able to extract data from work documents using a Robotic Process Automation (RPA) technology based on digital document features recognition. The implemented platform also integrates a Decision Support System (DSS) based on the estimation of priority rules and of Key Performance Indicators (KPIs) supporting subcontractor’s management and related activities. Furthermore, the DSS integrates sales forecasting Artificial Intelligence (AI) algorithms. A comparative analysis about regression-based algorithms and Artificial Neural Network (ANN) Multilayer Perceptron (MLP), is performed to check the best algorithm performance about the product quantity prediction in function of the price, finding ANN-MLP as a good candidate for the estimation. The ANN-MLP model is optimized to provide sales forecasting results with a low Mean Absolute Error (MAE) of 0, 00113. All the analysed algorithms are applied to an experimental dataset. The results have been developed within the framework of a Ministerial Italian project named Smart District 4.0 (SD 4.0).
For more course tutorials visit
uophelp.com is now newtonhelp.com
www.newtonhelp.com
A trial of adjustments is the examination of the general record. For example an evaluator could get demonstrate by sending a customer an insistence that they owe a receivable. The evaluator will use the data collected from these tests to perceive survey issues
This Tutorial contains 3 Set of Finals
For more classes visit
www.snaptutorial.com
This Tutorial contains 3 Set of Finals
Question 1 SIP is a ___________ protocol used to support real-time communications.
Question 2 What name is given to a U.S. federal law that requires U.S. government agencies to protect citizens’ private data and have proper security controls in place?
Question 3 This security appliance examines IP data streams for common attack and malicious intent patterns.
PROCESS ENGINEERING AND AI SALES PREDICTION: THE CASE STUDY OF AN ITALIAN SMA...IJDKP
The paper describes the case study of a production process engineering applied to a company working in the textile sector and upgraded by digital technologies. The process engineering is performed by means the Business Process Modelling Notation (BPMN) approach. The new engineered processes are enabled by adopting a software platform able to extract data from work documents using a Robotic Process Automation (RPA) technology based on digital document features recognition. The implemented platform also integrates a Decision Support System (DSS) based on the estimation of priority rules and of Key Performance Indicators (KPIs) supporting subcontractor’s management and related activities. Furthermore, the DSS integrates sales forecasting Artificial Intelligence (AI) algorithms. A comparative analysis about regression-based algorithms and Artificial Neural Network (ANN) Multilayer Perceptron (MLP), is performed to check the best algorithm performance about the product quantity prediction in function of the price, finding ANN-MLP as a good candidate for the estimation. The ANN-MLP model is optimized to provide sales forecasting results with a low Mean Absolute Error (MAE) of 0, 00113. All the analysed algorithms are applied to an experimental dataset. The results have been developed within the framework of a Ministerial Italian project named Smart District 4.0 (SD 4.0).
For more course tutorials visit
uophelp.com is now newtonhelp.com
www.newtonhelp.com
A trial of adjustments is the examination of the general record. For example an evaluator could get demonstrate by sending a customer an insistence that they owe a receivable. The evaluator will use the data collected from these tests to perceive survey issues
This Tutorial contains 3 Set of Finals
For more classes visit
www.snaptutorial.com
This Tutorial contains 3 Set of Finals
Question 1 SIP is a ___________ protocol used to support real-time communications.
Question 2 What name is given to a U.S. federal law that requires U.S. government agencies to protect citizens’ private data and have proper security controls in place?
Question 3 This security appliance examines IP data streams for common attack and malicious intent patterns.
We're very thrilled to announce 🚨
🛡 We have successfully completed our #securityaudit with #hacksafe
Browse full audit report : https://hacksafe.io/blockchain-land-token/
🌐 https://blockchain.land
#Metaverse #blockchainland #VR #AR #cryptocurrency #blockchain
TierPoint White Paper_With all due diligence_2015sllongo3
Understanding true security capabilities in the cloud environment is an important part of the evaluation process of a prospective provider. This guide will help you understand what needs investigating before turning your data over to the cloud.
Security Architecture for Cyber Physical SystemsAlan Tatourian
Slides I presented at the Automotive Cybersecurity conference at Detroit on Friday. The main message is captured in the last bullet in the Summary: We do not know how to build 100% reliable systems, we only know how to manage risk – your system will fail and you have to build for failure. This was one of the first lessons I was taught when I worked in the aerospace.
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
A Statistical Approach to Resolve Conflicting Requirements in Pervasive Compu...Osama M. Khaled
Pervasive computing systems are complex and challenging. In this research, our aim is to build a robust reference architecture for pervasive computing derived from real business needs and based on process re-engineering practices. We derived requirements from different sources grouped by selected quality features and worked on refining them by identifying the conflicts among these requirements, and by introducing solutions for them. We checked the consistency of these solutions across all the requirements. We built a mathematical model that describes the degrees of consistency with the requirements model and showed that they are normally distributed within that scope.
Full paper:
https://www.researchgate.net/publication/316582796_A_Statistical_Approach_to_Resolve_Conflicting_Requirements_in_Pervasive_Computing_Systems?_iepl%5BviewId%5D=GYzOmb1HA01ScDf1IJ1T8eif&_iepl%5BprofilePublicationItemVariant%5D=default&_iepl%5Bcontexts%5D%5B0%5D=prfpi&_iepl%5BtargetEntityId%5D=PB%3A316582796&_iepl%5BinteractionType%5D=publicationTitle
Citation
Osama M. Khaled, Hoda M. Hosny, Mohamed Shalan (2017). A Statistical Approach to resolve conflicting requirements in pervasive computing systems. The 12th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2017), Porto, Portugal, 28-29 April 2017.
Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...ijcisjournal
The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.
We're very thrilled to announce 🚨
🛡 We have successfully completed our #securityaudit with #hacksafe
Browse full audit report : https://hacksafe.io/blockchain-land-token/
🌐 https://blockchain.land
#Metaverse #blockchainland #VR #AR #cryptocurrency #blockchain
TierPoint White Paper_With all due diligence_2015sllongo3
Understanding true security capabilities in the cloud environment is an important part of the evaluation process of a prospective provider. This guide will help you understand what needs investigating before turning your data over to the cloud.
Security Architecture for Cyber Physical SystemsAlan Tatourian
Slides I presented at the Automotive Cybersecurity conference at Detroit on Friday. The main message is captured in the last bullet in the Summary: We do not know how to build 100% reliable systems, we only know how to manage risk – your system will fail and you have to build for failure. This was one of the first lessons I was taught when I worked in the aerospace.
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
A Statistical Approach to Resolve Conflicting Requirements in Pervasive Compu...Osama M. Khaled
Pervasive computing systems are complex and challenging. In this research, our aim is to build a robust reference architecture for pervasive computing derived from real business needs and based on process re-engineering practices. We derived requirements from different sources grouped by selected quality features and worked on refining them by identifying the conflicts among these requirements, and by introducing solutions for them. We checked the consistency of these solutions across all the requirements. We built a mathematical model that describes the degrees of consistency with the requirements model and showed that they are normally distributed within that scope.
Full paper:
https://www.researchgate.net/publication/316582796_A_Statistical_Approach_to_Resolve_Conflicting_Requirements_in_Pervasive_Computing_Systems?_iepl%5BviewId%5D=GYzOmb1HA01ScDf1IJ1T8eif&_iepl%5BprofilePublicationItemVariant%5D=default&_iepl%5Bcontexts%5D%5B0%5D=prfpi&_iepl%5BtargetEntityId%5D=PB%3A316582796&_iepl%5BinteractionType%5D=publicationTitle
Citation
Osama M. Khaled, Hoda M. Hosny, Mohamed Shalan (2017). A Statistical Approach to resolve conflicting requirements in pervasive computing systems. The 12th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2017), Porto, Portugal, 28-29 April 2017.
Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...ijcisjournal
The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.
This comprehensive risk report provides a detailed analysis of potential risks and vulnerabilities within a company that conducts self-audits. Offering insights into both operational and financial aspects, the report identifies areas of concern, outlines risk mitigation strategies, and aims to enhance transparency and governance within the organization. By proactively addressing risks, the company demonstrates its commitment to effective self-regulation and sound business practices.
Similar to Peck shield audit-report-strips-1.0-for_medium (20)
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Online aptitude test management system project report.pdfKamal Acharya
The purpose of on-line aptitude test system is to take online test in an efficient manner and no time wasting for checking the paper. The main objective of on-line aptitude test system is to efficiently evaluate the candidate thoroughly through a fully automated system that not only saves lot of time but also gives fast results. For students they give papers according to their convenience and time and there is no need of using extra thing like paper, pen etc. This can be used in educational institutions as well as in corporate world. Can be used anywhere any time as it is a web based application (user Location doesn’t matter). No restriction that examiner has to be present when the candidate takes the test.
Every time when lecturers/professors need to conduct examinations they have to sit down think about the questions and then create a whole new set of questions for each and every exam. In some cases the professor may want to give an open book online exam that is the student can take the exam any time anywhere, but the student might have to answer the questions in a limited time period. The professor may want to change the sequence of questions for every student. The problem that a student has is whenever a date for the exam is declared the student has to take it and there is no way he can take it at some other time. This project will create an interface for the examiner to create and store questions in a repository. It will also create an interface for the student to take examinations at his convenience and the questions and/or exams may be timed. Thereby creating an application which can be used by examiners and examinee’s simultaneously.
Examination System is very useful for Teachers/Professors. As in the teaching profession, you are responsible for writing question papers. In the conventional method, you write the question paper on paper, keep question papers separate from answers and all this information you have to keep in a locker to avoid unauthorized access. Using the Examination System you can create a question paper and everything will be written to a single exam file in encrypted format. You can set the General and Administrator password to avoid unauthorized access to your question paper. Every time you start the examination, the program shuffles all the questions and selects them randomly from the database, which reduces the chances of memorizing the questions.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
1. Public
SMART CONTRACT AUDIT REPORT
for
Strips Finance
Prepared By: Yiqun Chen
PeckShield
December 31, 2021
1/24 PeckShield Audit Report #: 2021-459
2. Public
Document Properties
Client Strips Finance
Title Smart Contract Audit Report
Target Strips
Version 1.0
Author Xuxian Jiang
Auditors Stephen Bie, Yiqun Chen, Xuxian Jiang
Reviewed by Yiqun Chen
Approved by Xuxian Jiang
Classification Public
Version Info
Version Date Author(s) Description
1.0 December 31, 2021 Xuxian Jiang Final Release
1.0-rc1 December 20, 2021 Xuxian Jiang Release Candidate #1
Contact
For more information about this document and its contents, please contact PeckShield Inc.
Name Yiqun Chen
Phone +86 183 5897 7782
Email contact@peckshield.com
2/24 PeckShield Audit Report #: 2021-459
4. Public
1 | Introduction
Given the opportunity to review the design document and related smart contract source code of the
Strips Finance protocol, we outline in the report our systematic approach to evaluate potential se-
curity issues in the smart contract implementation, expose possible semantic inconsistencies between
smart contract code and design document, and provide additional suggestions or recommendations
for improvement. Our results show that the given version of smart contracts can be further improved
due to the presence of several issues related to either security or performance. This document outlines
our audit results.
1.1 About Strips
Strips Finance is the world’s first decentralised interest rate derivatives exchange. Built using an
innovative AMM model for interest rate derivatives, Strips allows traders and investors to easily trade
and hedge interest rates using a derivative instrument called interest rate swap. The project is
backed by world class investors and the Strips team was previously involved in portfolio management,
high-frequency trading and digital banking. The basic information of the audited protocol is as follows:
Table 1.1: Basic Information of Strips
Item Description
Name Strips Finance
Type Ethereum Smart Contract
Platform Solidity
Audit Method Whitebox
Latest Audit Report December 31, 2021
In the following, we show the Git repository of reviewed files and the commit hash value used in
this audit.
• https://github.com/strips-finance/strips-skeleton-dev.git (c3a0f30)
4/24 PeckShield Audit Report #: 2021-459
5. Public
And this is the commit ID after all fixes for the issues found in the audit have been checked in.
• https://github.com/strips-finance/strips-skeleton-dev.git (207dfc4)
1.2 About PeckShield
PeckShield Inc. [13] is a leading blockchain security company with the goal of elevating the secu-
rity, privacy, and usability of current blockchain ecosystems by offering top-notch, industry-leading
services and products (including the service of smart contract auditing). We are reachable at Telegram
(https://t.me/peckshield), Twitter (http://twitter.com/peckshield), or Email (contact@peckshield.com).
Table 1.2: Vulnerability Severity Classification
Impact
High Critical High Medium
Medium High Medium Low
Low Medium Low Low
High Medium Low
Likelihood
1.3 Methodology
To standardize the evaluation, we define the following terminology based on the OWASP Risk Rating
Methodology [12]:
• Likelihood represents how likely a particular vulnerability is to be uncovered and exploited in
the wild;
• Impact measures the technical loss and business damage of a successful attack;
• Severity demonstrates the overall criticality of the risk.
Likelihood and impact are categorized into three ratings: H, M and L, i.e., high, medium and
low respectively. Severity is determined by likelihood and impact and can be classified into four
categories accordingly, i.e., Critical, High, Medium, Low shown in Table 1.2.
To evaluate the risk, we go through a checklist of items and each would be labeled with a
severity category. For one check item, if our tool or analysis does not identify any issue, the contract
5/24 PeckShield Audit Report #: 2021-459
6. Public
Table 1.3: The Full Audit Checklist
Category Checklist Items
Basic Coding Bugs
Constructor Mismatch
Ownership Takeover
Redundant Fallback Function
Overflows & Underflows
Reentrancy
Money-Giving Bug
Blackhole
Unauthorized Self-Destruct
Revert DoS
Unchecked External Call
Gasless Send
Send Instead Of Transfer
Costly Loop
(Unsafe) Use Of Untrusted Libraries
(Unsafe) Use Of Predictable Variables
Transaction Ordering Dependence
Deprecated Uses
Semantic Consistency Checks Semantic Consistency Checks
Advanced DeFi Scrutiny
Business Logics Review
Functionality Checks
Authentication Management
Access Control & Authorization
Oracle Security
Digital Asset Escrow
Kill-Switch Mechanism
Operation Trails & Event Generation
ERC20 Idiosyncrasies Handling
Frontend-Contract Integration
Deployment Consistency
Holistic Risk Management
Additional Recommendations
Avoiding Use of Variadic Byte Array
Using Fixed Compiler Version
Making Visibility Level Explicit
Making Type Inference Explicit
Adhering To Function Declaration Strictly
Following Other Best Practices
6/24 PeckShield Audit Report #: 2021-459
7. Public
is considered safe regarding the check item. For any discovered issue, we might further deploy
contracts on our private testnet and run tests to confirm the findings. If necessary, we would
additionally build a PoC to demonstrate the possibility of exploitation. The concrete list of check
items is shown in Table 1.3.
In particular, we perform the audit according to the following procedure:
• Basic Coding Bugs: We first statically analyze given smart contracts with our proprietary static
code analyzer for known coding bugs, and then manually verify (reject or confirm) all the issues
found by our tool.
• Semantic Consistency Checks: We then manually check the logic of implemented smart con-
tracts and compare with the description in the white paper.
• Advanced DeFi Scrutiny: We further review business logics, examine system operations, and
place DeFi-related aspects under scrutiny to uncover possible pitfalls and/or bugs.
• Additional Recommendations: We also provide additional suggestions regarding the coding and
development of smart contracts from the perspective of proven programming practices.
To better describe each issue we identified, we categorize the findings with Common Weakness
Enumeration (CWE-699) [11], which is a community-developed list of software weakness types to
better delineate and organize weaknesses around concepts frequently encountered in software devel-
opment. Though some categories used in CWE-699 may not be relevant in smart contracts, we use
the CWE categories in Table 1.4 to classify our findings. Moreover, in case there is an issue that
may affect an active protocol that has been deployed, the public version of this report may omit
such issue, but will be amended with full details right after the affected protocol is upgraded with
respective fixes.
1.4 Disclaimer
Note that this security audit is not designed to replace functional tests required before any software
release, and does not give any warranties on finding all possible security issues of the given smart
contract(s) or blockchain software, i.e., the evaluation result does not guarantee the nonexistence
of any further findings of security issues. As one audit-based assessment cannot be considered
comprehensive, we always recommend proceeding with several independent audits and a public bug
bounty program to ensure the security of smart contract(s). Last but not least, this security audit
should not be used as investment advice.
7/24 PeckShield Audit Report #: 2021-459
8. Public
Table 1.4: Common Weakness Enumeration (CWE) Classifications Used in This Audit
Category Summary
Configuration Weaknesses in this category are typically introduced during
the configuration of the software.
Data Processing Issues Weaknesses in this category are typically found in functional-
ity that processes data.
Numeric Errors Weaknesses in this category are related to improper calcula-
tion or conversion of numbers.
Security Features Weaknesses in this category are concerned with topics like
authentication, access control, confidentiality, cryptography,
and privilege management. (Software security is not security
software.)
Time and State Weaknesses in this category are related to the improper man-
agement of time and state in an environment that supports
simultaneous or near-simultaneous computation by multiple
systems, processes, or threads.
Error Conditions,
Return Values,
Status Codes
Weaknesses in this category include weaknesses that occur if
a function does not generate the correct return/status code,
or if the application does not handle all possible return/status
codes that could be generated by a function.
Resource Management Weaknesses in this category are related to improper manage-
ment of system resources.
Behavioral Issues Weaknesses in this category are related to unexpected behav-
iors from code that an application uses.
Business Logic Weaknesses in this category identify some of the underlying
problems that commonly allow attackers to manipulate the
business logic of an application. Errors in business logic can
be devastating to an entire application.
Initialization and Cleanup Weaknesses in this category occur in behaviors that are used
for initialization and breakdown.
Arguments and Parameters Weaknesses in this category are related to improper use of
arguments or parameters within function calls.
Expression Issues Weaknesses in this category are related to incorrectly written
expressions within code.
Coding Practices Weaknesses in this category are related to coding practices
that are deemed unsafe and increase the chances that an ex-
ploitable vulnerability will be present in the application. They
may not directly introduce a vulnerability, but indicate the
product has not been carefully developed or maintained.
8/24 PeckShield Audit Report #: 2021-459
9. Public
2 | Findings
2.1 Summary
Here is a summary of our findings after analyzing the implementation of the Strips protocol. During
the first phase of our audit, we study the smart contract source code and run our in-house static
code analyzer through the codebase. The purpose here is to statically identify known coding bugs,
and then manually verify (reject or confirm) issues reported by our tool. We further manually review
business logic, examine system operations, and place DeFi-related aspects under scrutiny to uncover
possible pitfalls and/or bugs.
Severity # of Findings
Critical 0
High 1
Medium 3
Low 1
Informational 1
Total 6
We have so far identified a list of potential issues: some of them involve subtle corner cases that might
not be previously thought of, while others refer to unusual interactions among multiple contracts.
For each uncovered issue, we have therefore developed test cases for reasoning, reproduction, and/or
verification. After further analysis and internal discussion, we determined a few issues of varying
severities need to be brought up and paid more attention to, which are categorized in the above
table. More information can be found in the next subsection, and the detailed discussions of each of
them are in Section 3.
9/24 PeckShield Audit Report #: 2021-459
10. Public
2.2 Key Findings
Overall, these smart contracts are well-designed and engineered, though the implementation can be
improved by resolving the identified issues (shown in Table 2.1), including 1 high-severity vulnerability,
3 medium-severity vulnerabilities, 1 low-severity vulnerability, and 1 informational recommendation.
Table 2.1: Key Strips Audit Findings
ID Severity Title Category Status
PVE-001 Low Possible Reentrancy Execution in vote() Time and State Fixed
PVE-002 High Improved Logic in SLPToken::_transfer-
Stake()
Business Logic Fixed
PVE-003 Medium Possible Sandwich/MEV Attacks
Against _burnPair()
Time and State Mitigated
PVE-004 Medium Unsafe Price Calculation in
UniswapLpOracle
Business Logic Fixed
PVE-005 Informational Removal of Unused State/Code Coding Practices Fixed
PVE-006 Medium Trust Issue of Admin Keys Security Features Mitigated
Besides the identified issues, we emphasize that for any user-facing applications and services, it is
always important to develop necessary risk-control mechanisms and make contingency plans, which
may need to be exercised before the mainnet deployment. The risk-control mechanisms should kick
in at the very moment when the contracts are being deployed on mainnet. Please refer to Section 3
for details.
10/24 PeckShield Audit Report #: 2021-459
11. Public
3 | Detailed Results
3.1 Possible Reentrancy Execution in vote()
• ID: PVE-001
• Severity: Low
• Likelihood: Low
• Impact: Low
• Target: Governance
• Category: Time and State [9]
• CWE subcategory: CWE-663 [3]
Description
A common coding best practice in Solidity is the adherence of checks-effects-interactions principle.
This principle is effective in mitigating a serious attack vector known as re-entrancy. Via this
particular attack vector, a malicious contract can be reentering a vulnerable contract in a nested
manner. Specifically, it first calls a function in the vulnerable contract, but before the first instance
of the function call is finished, second call can be arranged to re-enter the vulnerable contract by
invoking functions that should only be executed once. This attack was part of several most prominent
hacks in Ethereum history, including the DAO [15] exploit, and the recent Uniswap/Lendf.Me hack [14].
We notice there is an occasion where the checks-effects-interactions principle is violated. Using
the Governance as an example, the vote() function (see the code snippet below) is provided to
externally call a contract to perform various actions. However, the invocation of an external contract
requires extra care in avoiding the above re-entrancy.
Apparently, the interaction with the external contract (line 123) starts before effecting the update
on internal states (line 124), hence violating the principle. In this particular case, if the external
contract has certain hidden logic that may be capable of launching re-entrancy via the same entry
function.
102 function vote ( bytes32 _proposalHash , bool _yes ) p u b l ic onlyVoter {
103 // solhint -disable code -complexity
104 r e q u i r e ( ! p r o p o s a l s [ _proposalHash ] . f i n i s h e d , "Already finished" ) ;
105 r e q u i r e ( ! p r o p o s a l s [ _proposalHash ] . votedFor [ msg . sender ] , "Already voted" ) ;
106 r e q u i r e ( ! p r o p o s a l s [ _proposalHash ] . votedAgainst [ msg . sender ] , "Already voted" ) ;
11/24 PeckShield Audit Report #: 2021-459
12. Public
107 i f ( p r o p o s a l s [ _proposalHash ] . t o t a l V o t e r s != votersCount ) p r o p o s a l s [ _proposalHash
] . t o t a l V o t e r s = votersCount ;
108 i f ( _yes ) {
109 p r o p o s a l s [ _proposalHash ] . yesVotes = p r o p o s a l s [ _proposalHash ] . yesVotes + 1;
110 p r o p o s a l s [ _proposalHash ] . votedFor [ msg . sender ] = true ;
111 } e l s e {
112 p r o p o s a l s [ _proposalHash ] . noVotes = p r o p o s a l s [ _proposalHash ] . noVotes + 1;
113 p r o p o s a l s [ _proposalHash ] . votedAgainst [ msg . sender ] = true ;
114 }
115 emit Vote (
116 _proposalHash ,
117 _yes ,
118 p r o p o s a l s [ _proposalHash ] . yesVotes ,
119 p r o p o s a l s [ _proposalHash ] . noVotes ,
120 votersCount
121 ) ;
122 i f ( p r o p o s a l s [ _proposalHash ] . yesVotes > votersCount / 2) {
123 e x e c u t e P r o p o s a l ( _proposalHash ) ;
124 f i n i s h P r o p o s a l ( _proposalHash ) ;
125 } e l s e i f ( p r o p o s a l s [ _proposalHash ] . noVotes >= ( votersCount + 1) / 2) {
126 f i n i s h P r o p o s a l ( _proposalHash ) ;
127 }
128 }
Listing 3.1: Governance::vote()
In the meantime, we should mention that the external contract for interaction may be trusted and
thus not vulnerable or exploitable for re-entrancy. However, it is important to take precautions in
making use of nonReentrant to block possible re-entrancy. Note similar issues exist in other routines,
including claimStakingRewards() and the adherence of checks-effects-interactions best practice is
recommended.
Recommendation Apply necessary reentrancy prevention by utilizing the nonReentrant modifier
to block possible re-entrancy.
Status The issue has been resolved as the team clarifies that the governance is not used
anymore. As a result, the related vote() function is now removed.
12/24 PeckShield Audit Report #: 2021-459
13. Public
3.2 Improved Logic in SLPToken::_transferStake()
• ID: PVE-002
• Severity: High
• Likelihood: High
• Impact: Medium
• Target: SLPToken
• Category: Business Logic [8]
• CWE subcategory: CWE-841 [5]
Description
The Strips protocol provides incentive mechanisms for staking users and the staking rewards are
managed in SLPtoken. While reviewing the staking reward logic, we notice the current implementation
needs to be corrected. In particular, since the staking rewards are implemented as ERC20-compliant
tokens, these staking rewards can be transferred. However, when they are transferred, the current
implementation does not accurately update reward-related accounting.
To elaborate, we show below the related SLPtoken::transfer() implementation. While it makes
use of a helper routine _transferStake() to actually transfer staking shares, the helper routine
does not update other required states, e.g., initialStakingPnl, initialTradingPnl, initialBlockNum,
initialTimeStamp, as well as stakers[recipient]. The lack of timely update of these states messes
up the reward accounting.
348 function transfer(address recipient , uint256 amount) public override(ERC20 , IERC20)
returns (bool) {
349 _transferStake (msg.sender , recipient , amount);
350
351 return super.transfer(recipient , amount);
352 }
353
354 function transferFrom (
355 address sender ,
356 address recipient ,
357 uint256 amount
358 ) public override(ERC20 , IERC20) returns (bool) {
359 _transferStake (sender , recipient , amount);
360
361 return super. transferFrom (sender , recipient , amount);
362 }
363
364 function _transferStake (address sender , address recipient , uint256 amount) private {
365 require(stakers[sender ].exist , " STAKER_NOT_FOUND ");
366 require(stakers[recipient ]. exist == false , " MERGE_NOT_POSSIBLE ");
367
368 int256 transferShare = int256(amount / balanceOf(sender));
369
370 stakers[recipient] = stakers[sender ];
371
13/24 PeckShield Audit Report #: 2021-459
14. Public
372 int256 stakingProfit = transferShare * stakers[sender ]. unrealizedStakingProfit ;
373 int256 tradingProfit = transferShare * stakers[sender ]. unrealizedTradingProfit ;
374
375 if ( stakingProfit != 0){
376 stakers[sender ]. unrealizedStakingProfit -= stakingProfit ;
377 stakers[recipient ]. unrealizedStakingProfit = stakingProfit ;
378 }
379
380 if ( tradingProfit != 0){
381 stakers[sender ]. unrealizedTradingProfit -= tradingProfit ;
382 stakers[recipient ]. unrealizedTradingProfit = tradingProfit ;
383 }
384
385 if (amount == balanceOf(sender)){
386 delete stakers[sender ];
387 }
388 }
Listing 3.2: SLPToken::transfer()
Recommendation Properly update the reward accounting when the reward shares are trans-
ferred.
Status The issue has been fixed by making the SLPToken non-transferable.
3.3 Possible Sandwich/MEV Attacks Against _burnPair()
• ID: PVE-003
• Severity: Medium
• Likelihood: Low
• Impact: Medium
• Target: Multiple Contracts
• Category: Time and State [10]
• CWE subcategory: CWE-682 [4]
Description
As mentioned earlier, the Strips protocol allows traders and investors to easily trade and hedge
interest rates using a derivative instrument called interest rate swap. Because of that, there is a
constant need of swapping one asset to another. As an example, we show below the _burnPair()
routine that is used to burn staked tokens to cover potential loss.
119 function _burnPair (
120 IStripsLpToken slpToken ,
121 int256 requiredAmount
122 ) p u b l i c {
123 // ONLY if we are in Owner context (address(this) == owner), otherwise revert
124 slpToken . checkOwnership () ;
125
14/24 PeckShield Audit Report #: 2021-459
15. Public
228 int256 l p _ d i f f = int256 ( params . p a i r . balanceOf ( address ( t h i s ) ) ) − lp_balance ;
229 r e q u i r e ( l p _ d i f f < 0 , " LP_BURN_ERROR " ) ;
230
231 int256 usdc_diff = int256 ( IERC20 ( params . usdc ) . balanceOf ( address ( t h i s ) ) ) −
usdc_balance ;
232 r e q u i r e ( usdc_diff > 0 , " USDC_BURN_ERROR " ) ;
233
234 /* Reflect change */
235 slpToken . changeStakingPnl ( l p _ d i f f ) ;
236 slpToken . changeTradingPnl ( usdc_diff ) ;
237 }
238 }
Listing 3.3: StakingImpl :: _burnPair()
We notice the required liquidity calculation (line 163) is based on the reserve of the UniswapV2
pair and the reserve amount can be manipulated in a sandwich transaction. Also, once the liquidity
is burnt, the subsequent swap operation does not specify a valid restriction on possible slippage and
is also potentially vulnerable to possible front-running attacks, resulting in a smaller gain for this
round of conversion.
Note that this is a common issue plaguing current AMM-based DEX solutions. Specifically, a large
trade may be sandwiched by a preceding sell to reduce the market price, and a tailgating buy-back
of the same amount plus the trade amount. Such sandwiching behavior unfortunately causes a loss
and brings a smaller return as expected to the trading user because the swap rate is lowered by the
preceding sell. As a mitigation, we may consider specifying the restriction on possible slippage caused
by the trade or referencing the TWAP or time-weighted average price of UniswapV2. Nevertheless, we
need to acknowledge that this is largely inherent to current blockchain infrastructure and there is
still a need to continue the search efforts for an effective defense.
Recommendation Develop an effective mitigation (e.g., slippage control) to the above front-
running attack to better protect the interests of farming users.
Status This issue has been confirmed.
17/24 PeckShield Audit Report #: 2021-459
16. Public
3.4 Unsafe Price Calculation in UniswapLpOracle
• ID: PVE-004
• Severity: Medium
• Likelihood: Medium
• Impact: Medium
• Target: UniswapLpOracle
• Category: Business Logic [8]
• CWE subcategory: CWE-841 [5]
Description
The Strips protocol has the built-in price oracle that fetches the price from the Uniswap V2 pair.
While reviewing the reliability of the computed prices, we notice the current implementation can be
improved.
To elaborate, we show below the performUpkeep() function. This function follows the original
Chainlink Keeper specification and calls the checkUpkeep() method in order to determine where there
is some work to be done. If the checkUpkeep() method returns true, it will then compute the current
spot price (based on the pair reserve) and then the avgPairPrice. Note that a total of 24 samples are
collected to compute avgPairPrice and each sample needs to be taken with at least interval apart.
However, in a flashloan situation, this computed avgPairPrice is still highly manipulatable.
92 function performUpkeep (bytes calldata _data) external virtual override onlyListed {
93 require(block.timestamp > lastTimeStamp + interval , " NO_NEED_UPDATE ");
94 lastTimeStamp = block.timestamp;
95
96 if (instant){
97 /* This mode is used for testnet only */
98 accumulateInstantOracle ();
99
100 isActive = true;
101 }else{
102 accumulateOracle ();
103
104 periodsPassed += 1;
105
106 /* Activate oralce once enough periods passed */
107 if (isActive == false && periodsPassed >= periods){
108 isActive = true;
109 }
110 }
111 }
Listing 3.4: UniswapLpOracle::performUpkeep()
Recommendation Validate the caller to ensure only trusted ones may update the price.
18/24 PeckShield Audit Report #: 2021-459
17. Public
Status The issue has been fixed since this performUpkeep() can be called only by the trusted
keeper(s).
3.5 Removal of Unused State/Code
• ID: PVE-005
• Severity: Informational
• Likelihood: N/A
• Impact: N/A
• Target: IStakeable
• Category: Coding Practices [7]
• CWE subcategory: CWE-563 [2]
Description
The Strips protocol makes good use of a number of reference contracts, such as ERC20, SafeERC20,
SignedBaseMath, and Address, to facilitate its code implementation and organization. For example,
the Strips smart contract has so far imported at least five reference contracts. However, we observe
the inclusion of certain unused code or the presence of unnecessary redundancies that can be safely
removed.
For example, if we examine closely the IStakeble interface, it defines a number of events
LiquidityChanged, TokenAdded, and LogStakeChanged. However, these events are never used. With
that, these events can be safely removed.
85 i n t e r f a c e I S t a k e b l e i s I S t a k e b l e E v e n t s {
86 event LiquidityChanged (
87 address indexed asset ,
88 address indexed changer ,
89 s t r i n g indexed action ,
90
91 int256 t o t a l L i q u i d i t y ,
92 int256 currentStakedPnl ,
93 int256 s t a k e r I n i t i a l S t a k e d P n l ,
94 int256 s t a k e r T o t a l C o l l a t e r a l
95 ) ;
96
97 event TokenAdded (
98 address indexed asset ,
99 address indexed token
100 ) ;
101
102 event LogStakeChanged (
103 address indexed asset ,
104 address indexed changer ,
105 bool isStake ,
106
107 int256 burnedSlp ,
19/24 PeckShield Audit Report #: 2021-459
18. Public
108 int256 unstakeLp ,
109 int256 unstakeUsdc ,
110
111 int256 lp_fee ,
112 int256 usdc_fee
113 ) ;
114 . . .
115 }
Listing 3.5: Pool::constructor()
Recommendation Consider the removal of the redundant code with a simplified, consistent
implementation.
Status The issue has been fixed by removing the unused events.
3.6 Trust Issue of Admin Keys
• ID: PVE-006
• Severity: Medium
• Likelihood: Medium
• Impact: Medium
• Target: Multiple Contracts
• Category: Security Features [6]
• CWE subcategory: CWE-287 [1]
Description
In the Strips protocol, there is a special administrative account, i.e., owner. This owner account plays
a critical role in governing and regulating the system-wide operations (e.g., authorizing other roles,
setting various parameters, and adjusting external oracles). It also has the privilege to regulate or
govern the flow of assets among the involved components.
With great privilege comes great responsibility. Our analysis shows that the owner account is
indeed privileged. In the following, we show representative privileged operations in the Strips protocol.
41 function _addMarket (
42 S t o r a g e S t r i p s L i b . State storage state ,
43 bytes memory data
44 ) p u b l i c {
45 I S t r i p s . AddMarketParams memory params = abi . decode ( data , ( I S t r i p s .
AddMarketParams ) ) ;
47 s t a t e . addMarket ( IMarket ( params . market ) ) ;
49 emit LogNewMarket ( params . market ) ;
50 }
52 function _addOracle ( S t o r a g e S t r i p s L i b . State storage state ,
20/24 PeckShield Audit Report #: 2021-459
19. Public
53 bytes memory data ) p u b l ic
54 {
55 I S t r i p s . AddOracleParams memory params = abi . decode ( data , ( I S t r i p s .
AddOracleParams ) ) ;
57 s t a t e . addOracle ( params . o r a c l e ,
58 params . keeperReward ) ;
59 }
61 function _removeOracle ( S t o r a g e S t r i p s L i b . State storage state ,
62 bytes memory data ) p u b l ic
63 {
64 I S t r i p s . RemoveOracleParams memory params = abi . decode ( data , ( I S t r i p s .
RemoveOracleParams ) ) ;
66 s t a t e . removeOracle ( params . o r a c l e ) ;
67 }
Listing 3.6: Various Setters in StripsAdminImpl
We emphasize that the privilege assignment with various core contracts is necessary and required
for proper protocol operations. However, it is worrisome if the owner is not governed by a DAO-like
structure. The discussion with the team has confirmed that it is currently managed by a multi-sig
account. We point out that a compromised owner account would allow the attacker to undermine
necessary assumptions behind the protocol and subvert various protocol operations.
Recommendation Promptly transfer the privileged account to the intended DAO-like governance
contract. All changed to privileged operations may need to be mediated with necessary timelocks.
Eventually, activate the normal on-chain community-based governance life-cycle and ensure the in-
tended trustless nature and high-quality distributed governance.
Status This issue has been confirmed and partially mitigated with future plans for decentralized
governance.
21/24 PeckShield Audit Report #: 2021-459
20. Public
4 | Conclusion
In this audit, we have analyzed the design and implementation of the Strips protocol, the world’s
first decentralised interest rate derivatives exchange. Built using an innovative AMM model for interest
rate derivatives, Strips allows traders and investors to easily trade and hedge interest rates using a
derivative instrument, i.e., interest rate swap. The current code base is well structured and neatly
organized. Those identified issues are promptly confirmed and addressed.
Moreover, we need to emphasize that Solidity-based smart contracts as a whole are still in
an early, but exciting stage of development. To improve this report, we greatly appreciate any
constructive feedbacks or suggestions, on our methodology, audit findings, or potential gaps in
scope/coverage.
22/24 PeckShield Audit Report #: 2021-459
21. Public
References
[1] MITRE. CWE-287: Improper Authentication. https://cwe.mitre.org/data/definitions/287.html.
[2] MITRE. CWE-563: Assignment to Variable without Use. https://cwe.mitre.org/data/
definitions/563.html.
[3] MITRE. CWE-663: Use of a Non-reentrant Function in a Concurrent Context. https://cwe.
mitre.org/data/definitions/663.html.
[4] MITRE. CWE-682: Incorrect Calculation. https://cwe.mitre.org/data/definitions/682.html.
[5] MITRE. CWE-841: Improper Enforcement of Behavioral Workflow. https://cwe.mitre.org/
data/definitions/841.html.
[6] MITRE. CWE CATEGORY: 7PK - Security Features. https://cwe.mitre.org/data/definitions/
254.html.
[7] MITRE. CWE CATEGORY: Bad Coding Practices. https://cwe.mitre.org/data/definitions/
1006.html.
[8] MITRE. CWE CATEGORY: Business Logic Errors. https://cwe.mitre.org/data/definitions/
840.html.
[9] MITRE. CWE CATEGORY: Concurrency. https://cwe.mitre.org/data/definitions/557.html.
[10] MITRE. CWE CATEGORY: Error Conditions, Return Values, Status Codes. https://cwe.mitre.
org/data/definitions/389.html.
23/24 PeckShield Audit Report #: 2021-459
22. Public
[11] MITRE. CWE VIEW: Development Concepts. https://cwe.mitre.org/data/definitions/699.
html.
[12] OWASP. Risk Rating Methodology. https://www.owasp.org/index.php/OWASP_Risk_
Rating_Methodology.
[13] PeckShield. PeckShield Inc. https://www.peckshield.com.
[14] PeckShield. Uniswap/Lendf.Me Hacks: Root Cause and Loss Analysis. https://medium.com/
@peckshield/uniswap-lendf-me-hacks-root-cause-and-loss-analysis-50f3263dcc09.
[15] David Siegel. Understanding The DAO Attack. https://www.coindesk.com/
understanding-dao-hack-journalists.
24/24 PeckShield Audit Report #: 2021-459