Frankencoin Undergoes Audit with Code4rena
Frankencoin conducted a 2nd audit with Code4rena, a community-driven audit platform, finding six critical issues.
Between April 12 – April 19 2023, Code4rena (C4) successfully conducted an analysis of the Frankencoin smart contract system with a total bounty of $60'500 USDC.1 The detailed results are published here.
C4 is a Web3 security auditing league. A C4 audit is an event in which community participants, referred to as Wardens, review, audit, or analyze smart contract logic in exchange for a bounty provided by sponsoring projects. Wardens consist of security researchers, auditors, developers, and individuals with domain expertise in smart contracts. Industry leaders like AAVE, Sushi, and Opensea have enlisted C4’s help to secure their protocols and go to market faster.
Audit Results
In comparison to the first security audit, the C4 audit revealed more, but also more subtle issues. In total, the audit yielded an aggregated total of 21 unique vulnerabilities. Of these vulnerabilities, 6 received a risk rating in the category of high severity and 15 received a risk rating in the category of medium severity.2 Additionally, C4 analysis included 137 reports detailing issues with a risk rating of low severity or non-critical. There were also 43 reports recommending gas optimizations.
The most important issue found in the core protocol was with the calculation of the challenger reward. The other issues mostly revolved around edge cases (e.g. using ERC-20 tokens that subtly deviate from the standard) or frontrunning (e.g. executing a liquidation price change just before the start of a liquidation).
You can access the full C4 audit report here. The audit also provided links to the original findings and recommendations for more details and analysis.
All uncovered issues will be addressed before the 3rd audit.
Next Steps
Next, we aim to further verify our system's security through an audit by ChainSecurity, a top-rated firm specializing in blockchain and smart contract security. Scheduled for August, this would be the third professional audit for Frankencoin.
ChainSecurity is a Swiss-based firm known for its deep technical expertise in blockchain security. Its credibility is built upon a history of successful audits, identifying critical security flaws in several prominent projects.
Each audit brings us a step closer to our objective of creating a robust system that remains resilient even under extreme conditions.
How to participate in Frankencoin
For more information about the Frankencoin project, please visit our website, follow us on Twitter, and join our Discord channel.
For developer resources and technical discussions, please visit us on GitHub and join our discussion there. Please report issues with the smart contract here.
We encourage you to explore the project, ask questions, and share your thoughts with us. Your engagement will play a vital role in the success of the Frankencoin project, and we look forward to working together to create a truly innovative stablecoin.
C4 offers the ability to start an audit in just 48 hours, a timeline unheard of in a field where the top audit firms are booked out four to six months in advance. So far over 450 high severity vulnerabilities have been found across 103 audits with more than 30 professional auditors participating in every contest on average while over 100 auditors have found at least one high severity vulnerability.
C4 assesses the severity of disclosed vulnerabilities based on three primary risk categories: high, medium, and low/non-critical. High-level considerations for vulnerabilities span the following key areas when conducting assessments:
Malicious input handling
Escalation of privileges
Arithmetic
Gas use
For more information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website, specifically our section on Severity Categorization.