SmartDEX Contract Verification / Audit

1 137
Avatar for bchSteve
2 years ago

For those who don't know, SmartDEX.cash is a new DEX on the SmartBCH network that is modeling itself after ViperSwap from the Harmony network. SmartDEX is using some relatively unique mining reward incentives along with plans to build out a much larger ecosystem around the DEX including an upcoming DAO. Read more about SmartDEX on Medium

To date no contract audits or code verifications have been done on the SmartDEX contracts. I am by no means a smart contract auditor, but I do have the ability to use publicly available resources and information verify some of the claims made by the developer. I found the results of my research interesting and thought it could be useful to others as well.

Code Verification

The developer says that the contracts are basically exact copies of the ViperSwap code base with only minor configuration changes made.

The SmartDex code can be found of their GitHub page here, with the ViperSwap code on their GitHub page.

I performed two basic comparisons of the SmartDEX to the ViperSwap code. First I compared the source code file itself from each of the repositories, noting any changes made. Then I compiled the source code on my local machine using hardhat and compared the resulting bytecode in a hex editor to the bytecode downloaded from SmartScan.cash.

Here are the contracts in question:

GovernanceToken:

Contract Address: 0x47c259DFe165Cef3e429C9B66bf9ce9dc3e68aC2

I compared the GovernanceToken.sol files from each of the repositories and found them to be identical.

The bytecode that I compiled locally was also identical to the bytecode downloaded from SmartScan

MasterBreeder:

Contract Address: 0x14C15BD8ba2854750770D38472dc5633152f70aa

I compared the MasterBreeder.sol files from each of the repositories and found them to be identical.

The bytecode that I compiled locally was also identical to the bytecode downloaded from SmartScan

Pit:

Contract Address: 0x46269c22848738573761eC50a736916272857f83

I compared the Pit.sol files from each of the repositories and found them to be identical.

The bytecode that I compiled locally was also identical to the bytecode downloaded from SmartScan

PitBreeder:

Contract Address: 0xd842Aae7ed615A4ee936d716Cf0F30aD7cB88849

I compared the PitBreeder.sol files from each of the repositories there was a very small change to the import statements that amounts to a renaming of one of the libraries.

The bytecode that I compiled locally was also slightly different from the bytecode downloaded from SmartScan. My locally compiled bytecode had several blocks of zeros that were replaced by other numbers in the deployed code. Because the PitBreeder contract interacts with several of the other deployed contracts, I believe that those are hard coded addresses of the other contracts that my local codebase was missing. Both bytecode files were identical in length with only those few blocks changed and the checksum at the end of the file of course was also different.

Factory & Router Contracts:

Factory Contract Address: 0xDd749813a4561100bDD3F50079a07110d148EaF5

Router Contract Address: 0xE714f5768aa7F0F1623064985934FF9e12A9E61e

The Factory and Router contracts are a pretty widely used in other DEXs. Originally from the UniswapV2 code base. The SOL files in the SmartDEX repository are identical to the copy provided in the ViperSwap repository.

I was unable to get the my locally compiled bytecode to match the code downloaded from SmartScan. I believe that it is likely that these were compiled using a different configuration file than the rest of the SmartDEX code resulting in different compiler options.

I didn't spend too much time trying to figure this out because from what I understand they are very low risk contracts. As I understand them, the Factory contract is only used to add new trading pairs to the DEX and the Router contract used to perform your swaps on the DEX. So performance of each of these can be tested by anyone. As long as they perform those functions there should be little additional risk, because they don't hold or control any user funds.

If the SmartDex developer is able to provide me with any additional details about how those these contracts were compiled, I would be happy to try again.

Audit

As I mentioned, I have no specific background to audit smart contracts. Though I have spent some time looking at the SmartDEX code base and nothing of major concern jumps out at me.

More importantly though is the fact the the ViperSwap contracts have been audited, as you can see here. Because we have verified the ViperSwap and SmartDEX are running largely the same code base, many of the conclusions from the ViperSwap audit apply to SmartDEX.

A few notes from the ViperSwap Audit:

The audit says "At the time of writing this report, Authorized users no longer have the ability to manually mint tokens." I am unsure how to verify if that is also true of SmartDEX.

The audit also says"The owner of this contract is currently set to the MasterBreeder contract."

I have not verified if the GovernanceToken contract is owned by the MasterBreeder on SmartDEX.

SmartDEX also does not appear to be making use of the Timelock contract.

Other than that, I think the audit is largely applicable to the SmartDEX.

Feel free to reach out to me on Telegram @bchSteve with any questions.

SmartBCH 0x5c401DAbeF79d1316B6f34bF85C3C2E0bd52723A

bitcoincash:qq828306pua6hzhuz987t832r4xjrd78uq6waswm4m

1
$ 0.42
$ 0.42 from @jQrgen
Avatar for bchSteve
2 years ago

Comments