EVM Smart Contracts - APRO

Prepared by:

HALBORN

Last Updated 09/11/2024

Date of Engagement by: July 8th, 2024 - July 26th, 2024

Summary

88% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Latesttimestamp create a false sense of data freshness
7.2 Lack of l2 sequencer status monitoring in deployment
7.3 Inconsistent solidity pragma versions
7.4 Unused function decodereport in offchainaggregator contract
7.5 Outdated version of solidity
7.6 Cache array length outside of loop
7.7 Missing spdx license identifier
7.8 Inconsistent naming convention in token interface

8. Automated Testing

1. Introduction

APRO engaged Halborn to conduct a security assessment on their smart contracts revisions beginning on 07/08/2024 and ending on 07/26/2024. The security assessment was scoped to the smart contracts provided to the Halborn team.

2. Assessment Summary

The team at Halborn was provided 3 weeks for the engagement and assigned a full-time security engineer to evaluate the security of the smart contract.

The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

Ensure that smart contract functions operate as intended.
Identify potential security issues with the smart contracts.

In summary, Halborn identified some security risks that were mostly addressed by the APRO team.

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance code coverage and quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:

Research into architecture and purpose.
Smart contract manual code review and walkthrough.
Graphing out functionality and contract logic/connectivity/functions. (solgraph)
Manual assessment of use and safety for the critical Solidity variables and functions in scope to identify any arithmetic related vulnerability classes.
Manual testing by custom scripts.
Scanning of solidity files for vulnerabilities, security hot-spots or bugs. (MythX)
Static Analysis of security for scoped contract, and imported functions. (Slither)
Testnet deployment. (Brownie, Anvil, Foundry)

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.

The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.

The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.

The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.

The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):

Captures whether the attack requires compromising a specific account.

Attack Cost (AC):

Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.

Attack Complexity (AX):

Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.

Metrics:

EXPLOITABILIY METRIC ( $m_e$ )	METRIC VALUE	NUMERICAL VALUE
Attack Origin (AO)	Arbitrary (AO:A) Specific (AO:S)	1 0.2
Attack Cost (AC)	Low (AC:L) Medium (AC:M) High (AC:H)	1 0.67 0.33
Attack Complexity (AX)	Low (AX:L) Medium (AX:M) High (AX:H)	1 0.67 0.33

Exploitability

E

is calculated using the following formula:

$E = \prod m_e$

4.2 IMPACT

Confidentiality (C):

Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.

Integrity (I):

Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.

Availability (A):

Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.

Deposit (D):

Measures the impact to the deposits made to the contract by either users or owners.

Yield (Y):

Measures the impact to the yield generated by the contract for either users or owners.

Metrics:

IMPACT METRIC ( $m_I$ )	METRIC VALUE	NUMERICAL VALUE
Confidentiality (C)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Integrity (I)	None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C)	0 0.25 0.5 0.75 1
Availability (A)	None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C)	0 0.25 0.5 0.75 1
Deposit (D)	None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C)	0 0.25 0.5 0.75 1
Yield (Y)	None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C)	0 0.25 0.5 0.75 1

Impact

I

is calculated using the following formula:

$I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}$

4.3 SEVERITY COEFFICIENT

Reversibility (R):

Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.

Scope (S):

Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.

Metrics:

SEVERITY COEFFICIENT ( $C$ )	COEFFICIENT VALUE	NUMERICAL VALUE
Reversibility ( $r$ )	None (R:N) Partial (R:P) Full (R:F)	1 0.5 0.25
Scope ( $s$ )	Changed (S:C) Unchanged (S:U)	1.25 1

Severity Coefficient

C

is obtained by the following product:

$C = rs$

The Vulnerability Severity Score

S

is obtained by:

$S = min(10, EIC * 10)$

The score is rounded up to 1 decimal places.

Severity	Score Value Range
Critical	9 - 10
High	7 - 8.9
Medium	4.5 - 6.9
Low	2 - 4.4
Informational	0 - 1.9

5. SCOPE

Files and Repository

(a) Repository: apro_contract

(b) Assessed Commit ID: c6ab8ce

Owned
SimpleWriteAccessController
SimpleReadAccessController

↓ Expand ↓

Out-of-Scope:

Remediation Commit ID:

3d6483f

Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

High

Medium

Low

Informational

Security analysis	Risk level	Remediation Date
latestTimestamp create a false sense of data freshness	Medium	Risk Accepted
Lack of L2 Sequencer Status Monitoring in Deployment	Low	Future Release
Inconsistent Solidity Pragma Versions	Informational	Solved - 08/06/2024
Unused Function decodeReport in OffchainAggregator Contract	Informational	Solved - 08/06/2024
Outdated Version of solidity	Informational	Acknowledged
Cache Array Length outside of loop	Informational	Acknowledged
Missing SPDX License Identifier	Informational	Solved - 08/06/2024
Inconsistent Naming Convention in Token Interface	Informational	Solved - 08/06/2024

7. Findings & Tech Details

7.1 latestTimestamp create a false sense of data freshness

// Medium

Description

The current implementation of the latestTimestamp , determineTimestamp and getTimestamp functions in the EACAggregatorCombine contract can mislead users about the freshness of the data if one of the two aggregators has not updated recently.

By returning the latest from the two latest timestamps aggregators, the function may suggest that the data is up-to-date even if one aggregator's data is stale.

function latestTimestamp() public view virtual override returns (uint256) {
    uint256 timestampX = aggregatorX.latestTimestamp();
    uint256 timestampY = aggregatorY.latestTimestamp();
    return timestampX > timestampY ? timestampX : timestampY;
}

Similarly, in the determineTimestamp function, the updatedAt variable is assigned the newer timestamp of the two aggregators:


   function determineTimestamp(
        uint256 startedAtX,
        uint256 startedAtY,
        uint256 updatedAtX,
        uint256 updatedAtY
    ) internal pure returns (uint256 startedAt, uint256 updatedAt) {
        if (/* .. */ )  { /* ... */ } 
        else {
            startedAt = startedAtX > startedAtY ? startedAtY : startedAtX;
            //E @audit updatedAt is the newest of the two
            updatedAt = updatedAtX > updatedAtY ? updatedAtX : updatedAtY;
        }
    }

This issue can create a false sense of data freshness, potentially leading to erroneous decisions based on outdated information. Users might rely on data they believe is recent, but in reality, it could include stale data from one of the aggregators.

Proof of Concept

Test Steps :

Aggregator X is updated with data
Wait 2 days(can be a lot more)
Aggregator Y is updated with data
Data and latestTimestamp are retrieved using combine proxy
LatestTimestamp of AggregatorY is returned when Aggregator X data is 2 days old

function testLatestTimestampNotLatest() public {
        // Prepare data for the report
        (,,bytes32 configDigest) = offAX.latestConfigDetails();
        uint32 epoch = 1;
        uint8 round = 1;
        bytes32 rawReportContext = bytes32(uint256(uint256(configDigest) << 24 | uint256(epoch) << 8 | uint256(round)));
        bytes32 rawObservers = bytes32(0); // Example value
        int192[] memory observations = new int192[](4);
        observations[0] = 100e18;
        observations[1] = 200e18;
        observations[2] = 300e18;
        observations[3] = 400e18;

        bytes memory report = abi.encode(rawReportContext, rawObservers, observations);

        // Generate signatures for the report
        (bytes32[] memory rs, bytes32[] memory ss, bytes32 rawVs) = generateSignatures(report);

        // Call transmit function
        vm.startPrank(transmitter1);
        offAX.transmit(report, rs, ss, rawVs);
        vm.stopPrank();
        vm.warp(block.timestamp + 2 days);
        vm.startPrank(transmitter2);
        offAY.transmit(report, rs, ss, rawVs);
        vm.stopPrank();

        int256 latestAnswerX = offAX.latestAnswer();
        int256 latestAnswerY = offAY.latestAnswer();

        // console.log("latestAnswerX = %s", uint256(latestAnswerX) / 1e18);
        // console.log("latestAnswerY = %s", uint256(latestAnswerY) / 1e18);
        // console.log("latestAnswerEAC = %s", uint256(eacACP.latestAnswer()) / 1e18);

        console.log("Current Timestamp                        : %s",block.timestamp);
        console.log("Latest Timestamp of EACAggregatorCombine : %s",eacACP.latestTimestamp());
        console.log("Latest Timestamp of Aggregator X         : %s",offAX.latestTimestamp());
        console.log("Latest Timestamp of Aggregator Y         : %s",offAY.latestTimestamp());
    }

As it can be seen in the result, latestTimestamp of AggregatorX is 2 days stale but data is returned like it was updated at the current timestamp

BVSS

AO:A/AC:M/AX:L/C:N/I:M/A:N/D:L/Y:L/R:N/S:C (5.2)

Recommendation

To ensure the accuracy and reliability of the reported data, it is recommended to modify the latestTimestamp function to return the oldest timestamp from the two aggregators or to compare it with a maximum staleness variable. This approach ensures that the data is only considered fresh if both aggregators have been updated recently.

Remediation Plan

RISK ACCEPTED : The APRO team accepted the risk, they said that if users want to have an idea of both data freshness they can request both aggregator latest timestamp

References

APRO-Oracle/apro_contract/contracts/offchain-aggregator/EACAggregatorCombineProxy.sol#L236

APRO-Oracle/apro_contract/contracts/offchain-aggregator/EACAggregatorCombineProxy.sol#L309

APRO-Oracle/apro_contract/contracts/offchain-aggregator/EACAggregatorCombineProxy.sol#L957

7.2 Lack of L2 Sequencer Status Monitoring in Deployment

// Low

Description

The audited system, a fork of Chainlink, is designed for deployment across multiple EVM-compatible chains, including Layer 2 (L2) solutions and sidechains. These chains include Scroll, Linea, ZKLink Nova, BSC, and others that are not L2s or L2s. A critical omission has been identified in the implementation: the absence of L2 sequencer feeds contracts on these chains for Apro Contract.

L2 solutions and some sidechains utilize sequencers to batch and process transactions. The operational status of these sequencers is crucial for the integrity and fairness of the oracle service. Without sequencer status monitoring, the system lacks the capability to detect and respond to sequencer downtime or unavailability.

Chainlink's standard implementation includes sequencer feeds to provide real-time status updates of L2 sequencers. These feeds allow oracle consumers to determine whether the L2 network is fully operational and accessible to all users.

The oracle may continue to report prices without accounting for the inaccessibility of the L2 network to most users, potentially leading to mispriced assets or unfair liquidations.

BVSS

AO:A/AC:L/AX:L/C:N/I:N/A:M/D:N/Y:N/R:P/S:U (2.5)

Recommendation

To address this issue, one of the following measures is recommended:

Implement L2 Sequencer Feeds: Deploy sequencer status feed contracts on all supported L2 and sidechain networks, following Chainlink's established patterns.
Integrate Sequencer Status Checks: Modify the oracle contracts to incorporate checks against the sequencer status feeds before providing price data.

Remediation Plan

PENDING: The APRO team will solve the issue by deploying a L2 Sequencer Feed on Scroll Rollup

7.3 Inconsistent Solidity Pragma Versions

// Informational

Description

Apro contracts use multiple versions of the Solidity compiler pragma, specifically 0.7.6 and ^0.7.0. This inconsistency can lead to compatibility issues, as different pragma versions may have varying behavior and features. The following files use 0.7.6:

AccessControlledOffchainAggregator.sol
OffchainAggregator.sol
OffchainAggregatorBilling.sol
Owned.sol
SimpleReadAccessController.sol
SimpleWriteAccessController.sol

The following files use ^0.7.0:

AccessControllerInterface.sol
AggregatorInterface.sol
AggregatorV2V3Interface.sol
AggregatorV3Interface.sol
AggregatorValidatorInterface.sol
LinkTokenInterface.sol
TypeAndVersionInterface.sol
AproTokenInterface.sol

Additionally, the usage of solc-0.7.6 is flagged as not recommended for deployment. It is crucial to use consistent and up-to-date Solidity versions to ensure contract security and compatibility.

Score

// Informational

Description

The EACAggregatorProxy.sol does not include an SPDX license identifier on the first line. The SPDX identifier is a recommended standard that specifies the software license governing the code, ensuring clarity and compliance with legal requirements.

pragma solidity 0.7.6;

/**
 * @title The Owned contract
 * @notice A contract with helpers for basic contract ownership.
 */
contract Owned {
    ...
}

The absence of an SPDX license identifier can lead to potential legal ambiguities. Without a clear license declaration, users and developers may be uncertain about the usage, modification, and distribution rights of the contract. This can hinder collaboration and adoption, and may lead to legal complications if the code is used or modified without proper licensing information.

Score

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

To adhere to best practices and legal standards, it is recommended to include an SPDX license identifier at the beginning of the contract file. This provides clear information about the licensing terms under which the code is distributed.

By adding the SPDX license identifier, you ensure that the licensing information is explicitly communicated, reducing legal risks and promoting better code practices.

Remediation Plan

SOLVED: The APRO team added the SPDX License Identifier to solve the issue.

Remediation Hash

https://github.com/APRO-Oracle/apro_contract/commit/3d6483f8f5d0cef2ef0b24c0f92cb7c28fbbd86e

References

APRO-Oracle/apro_contract/contracts/offchain-aggregator/EACAggregatorProxy.sol#L1

7.8 Inconsistent Naming Convention in Token Interface

// Informational

Description

The smart contract under review contains an interface named LinkTokenInterface in file AproTokenInterface.sol which is a direct copy from the Chainlink project. However, this project is named APRO, and the interface name has not been updated to reflect this fact. The current implementation is as follows:

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.0;

interface LinkTokenInterface {
// ... (interface functions)
}

This naming inconsistency is present throughout the interface, including comments that directly reference Chainlink:

// The client constructs and makes a request to a known Chainlink oracle through the transferAndCall function, implemented by the LINK token

Score

AO:A/AC:L/AX:L/R:N/S:U/C:N/A:N/I:N/D:N/Y:N (0.0)

Recommendation

To address this issue, the following changes are recommended:

Rename the interface to reflect the APRO project
Update all references to Chainlink in comments and documentation within the interface

Remediation Plan

SOLVED : Naming conventions has been modified.

Remediation Hash

https://github.com/APRO-Oracle/apro_contract/commit/3d6483f8f5d0cef2ef0b24c0f92cb7c28fbbd86e

References

APRO-Oracle/apro_contract/contracts/offchain-aggregator/LinkTokenInterface.sol#L4

8. Automated Testing

Halborn used automated testing techniques to enhance the coverage of certain areas of the smart contracts in scope. Among the tools used was Slither, a Solidity static analysis framework.

After Halborn verified the smart contracts in the repository and was able to compile them correctly into their abis and binary format, Slither was run against the contracts. This tool can statically verify mathematical relationships between Solidity variables to detect invalid or inconsistent usage of the contracts' APIs across the entire code-base.

All issues identified by Slither were proved to be false positives or have been added to the issue list in this report.

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Test approach and methodology
4. Risk methodology
5. Scope
6. Assessment summary & findings overview
7. Findings & Tech Details

7.1 Latesttimestamp create a false sense of data freshness
7.2 Lack of l2 sequencer status monitoring in deployment
7.3 Inconsistent solidity pragma versions
7.4 Unused function decodereport in offchainaggregator contract
7.5 Outdated version of solidity
7.6 Cache array length outside of loop
7.7 Missing spdx license identifier
7.8 Inconsistent naming convention in token interface

8. Automated Testing

// Download the full report

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed