XDEFI Zenith
Findings & Analysis Report

2024-08-30

Table of contents

Overview

About C4

Code4rena (C4) is an open organization consisting of security researchers, auditors, developers, and individuals with domain expertise in smart contracts.

A C4 Pro League Audit is an event where elite tier Code4rena contributors, commonly referred to as wardens, review, audit and analyze smart contract logic in exchange for a bounty provided by sponsoring projects.

During the Pro League audit outlined in this document, C4 conducted an analysis of the XDEFI smart contract system written in Solidity. The audit took place between Aug 23 - Aug 30, 2024.

Wardens

2 Wardens contributed to XDEFI:

  1. SpicyMeatball
  2. 0x1771

Final report assembled by bytes032 and Sentinel.

Summary

The C4 Pro League analysis yielded no HIGH and 1 MEDIUM severity vulnerability.

Additionally, C4 Pro League analysis included 1 finding rated as INFORMATIONAL severity.

Disclaimer: The Paymaster code has also been reviewed by the C4 Zenith team and no issues were found.

Scope

The source code was delivered to Code4rena in a private Git repository. The smart contract facilitates the migration of vXDEFI and XDEFI tokens to CTRL tokens. It optionally exposes methods to do it via a paymaster to make it gasless for the end user, leveraging EIP-2612.

Severity Criteria

C4 assesses the severity of disclosed vulnerabilities based on three primary risk categories: high, medium, and low/non-critical.

High-level considerations for vulnerabilities span the following key areas when conducting assessments:

  • Malicious Input Handling
  • Escalation of privileges
  • Arithmetic
  • Gas use

For more information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website, specifically our section on Severity Categorization.


Medium Findings (1)

Migration is vulnerable to permission frontrun

Context:

Description:

Migration functions can be temporarily blocked with a permission frontrun. An attacker can call permit with the user’s signature directly on the token contract and increment the nonce, reverting the migration tx:

    function permit(
        address owner_,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external override {
        require(owner_ != address(0), "ERC20: Owner cannot be 0");
        require(block.timestamp < deadline, "ERC20: Expired");
        bytes32 digest =
                        keccak256(
                abi.encodePacked(
                    EIP191_PREFIX_FOR_EIP712_STRUCTURED_DATA,
                    DOMAIN_SEPARATOR,
 >>                 keccak256(abi.encode(PERMIT_SIGNATURE_HASH, owner_, spender, value, nonces[owner_]++, deadline))
                )
            );
        ---SNIP---

Recommendation:

It is recommended to wrap token.permit() calls in a try-catch block to allow tx to continue if the permission has already been consumed:

function migrate(uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public {
+   try IERC20Permit(address(oldToken)).permit(msg.sender, address(this), amount, deadline, v, r, s) {} catch {}
    // send tokens
}

XDEFI:

The issue has been fixed with PR-8

C4 Zenith:

The issue has been resolved as per recommendation.

Informational Findings (1)

Unused code in various contracts

Context:

Description:

FixedToken.sol has the owner argument in the initToken function that is never used:

    function initToken(string memory _name, string memory _symbol, address _owner, uint256 _initialSupply) public  {
        _initERC20(_name, _symbol);
        _mint(msg.sender, _initialSupply);
    }

ERC20,sol has a function _setupDecimals, which is also not used:

    function _setupDecimals(uint8 decimals_) internal {
        _decimals = decimals_;
    }

Recommendation:

Consider removing unused code and parameters from contracts.

XDEFI:

Acknowledged.

C4 Zenith:

The issue has been acknowledged.


Disclosures

C4 is an open organization governed by participants in the community.

C4 audits incentivize the discovery of exploits, vulnerabilities, and bugs in smart contracts. Security researchers are rewarded at an increasing rate for finding higher-risk issues. Audit submissions are judged by a knowledgeable security researcher and solidity developer and disclosed to sponsoring developers. C4 does not conduct formal verification regarding the provided code but instead provides final verification.

C4 does not provide any guarantee or warranty regarding the security of this project. All smart contract software should be used at the sole risk and responsibility of users.