money A financial technology company that aims to make digital currencies accessible, secure and simple to transact. It is the first electronic money institution (EMI) licensed to issue fiat currency on the blockchain. Monerium is approved in 27 European Union member states, Iceland, Liechtenstein and Norway.
Monerium leveraged Ackee Blockchain to conduct a security review of the Monerium protocol with total time donations. 12 engineering days in the period between June 15 and July 4, 2023.
Cryptocurrency Regulations
Monerium EMI ehf. Authorized and regulated as an electronic money institution under Iceland’s Electronic Money Act No. 17/2013, which implements the European Directive 2009/110/EC on the acquisition, pursuit and prudential supervision of electronic money institution businesses.
The importance of cryptocurrency regulation becomes clear as follows: Crypto Asset Regulation (MiCA) Market Introduced. MiCA is a regulatory framework proposed by the European Commission to address the growing use of cryptocurrencies and other crypto-assets within the European Union (EU), which will come into effect in June 2023. One of the consequences of MiCA is the requirement for regular audits (every six months) performed by an independent (third-party) audit firm such as Ackee Blockchain.
methodology
We use static analysis tools, namely I woke up. We then took a closer look at the logic of the contract. For testing we I woke up Test framework. During the review process, we paid special attention to the following:
- Ensure access controls are neither too lax nor too strict
- Identify potential reentrancy in your code
- Verifying the arithmetic integrity of the system
- Detect common issues, including data validation issues
- Adhere to best practices.
range
The scope of the audit includes all agreements in the protocol. 2ff1709.
result
Here we have our result.
critical severity
No critical severity issues were found.
Severity High
No high severity issues were found.
medium severity
M1: access control architecture
M2: relinquishment of ownership
M3: weak ownership
M4: unchecked return value
M5: Missing prime number test
low severity
L1: Missing validation
warning severity
W1: bridgeFrontend cannot be removed
W2: unprotected function
W3: missing event
W4: Duplicate events
W5: contract test
W6: Multiple compiler versions
Information Severity
I1: unused library
I2: unused variable
I3: naming convention
I4: Unnecessary SafeMath
I5: typo
I6: Inconsistent unit syntax
conclusion
Our review yielded the following 18 findings: information to middle Seriousness. The most serious issues are related to ownership, access control, and data validation. Although these issues are not direct threats, human error may create vulnerabilities in the future. Of particular concern is the owner’s multi-signature method, 2/6, which is extremely vulnerable.
The overall code quality and architecture are not the best and contain many violations of Solidity development best practices such as data validation, deprecated code, naming conventions, etc.
Ackee Blockchain recommends Monerium as:
- Increase owner’s multi-signature threshold
- Review and revise your access control architecture.
- Ensure return value is always validated
- Separate test and production contracts. • Remove unused code from the code base.
- Addresses all other reported issues.
UPD: The review was performed on the specified commit. 3477259. Monerium fixed all medium severity issues and increased multi-signature schemes to 3/6. The only recognized problem L1 The planned redesign did not resolve this.
A review of the updated fixes was done in commit 40c7c17, which reverts the fix in M5: Missing decimal point validation. The client decided to only acknowledge the issues due to the unlikely and complex upgrade/migration process of the TokenStorage contract.
Ackee blockchain is full money You can find the audit report with a more detailed description of all findings and recommendations. here.
We were happy to give our thanks. money I look forward to working with them again.