PoSciDonDAO Case Study: Smart Contract & Governance Fixes
Explore how QuillAudits fortified PoSciDonDAO’s smart contracts and validated its governance model to ensure a secure and robust DeFi framework.
Before QuillAudits
- Ownership renouncement risk could permanently lock out admin control due to unprotected use of renounceRole() from OpenZeppelin’s AccessControl.
- One-Step Admin Role Transfers increased the risk of assigning privileges to an incorrect or malicious address with no fallback.
- Inconsistent address validation in setGovOps() lacked a same-address check, making it prone to unnecessary or redundant updates.
- No Total Supply Check in Locking mechanism risked locking more tokens than intended, breaching the defined TOTAL_SUPPLY_SCI.
After QuillAudits
- Improved Ownership Safeguards: Prevented critical administrative roles from being accidentally or maliciously renounced, preserving contract control.
- Two-Step Admin Role Transfers: Reduce the chance of error as only 1 step for allowing administrative privileges isn’t sufficient.
- Address Consistency Fixes: Adding same-address checks in setGovOps() would protect the governance operations.
- Total Supply Validation: A strict check in the lock() function ensures the locked amount never exceeds TOTAL_SUPPLY_SCI, preserving the logic.
Get an Audit done today for your Smart Contract
Join 1500+ leaders who secured themselves from losing Billion Dollars
What is PoSciDonDAO?
PoSciDonDAO is a pioneering Decentralized Autonomous Organization in the Decentralized Science (DeSci) movement, focused on democratizing and accelerating research in personalized medicine using blockchain and Web3 technologies.
Flow of PoSciDonDAO contracts:
- Initialization: The contract is initialized with an admin and SCI token address.
- Token Locking:
- Users can lock SCI tokens using the lock() function
- Locked tokens grant equivalent voting rights
- A snapshot of voting rights is created after locking
- Governance Interaction:
- When users vote in governance, the governance contract calls voted() to set a time lock
- When users create proposals, the governance contract calls proposed() to set a time lock
- Locked tokens cannot be withdrawn until the time locks expire
- Token Unlocking:
- Users can free locked tokens using the free() function after time locks expire
- Voting rights are reduced accordingly
- A new snapshot is created after unlocking
- Administrative Functions:
- The admin role can be transferred through a two-step process
- Admin can set governance contract addresses
- Admin can toggle emergency mode
Core Components of Governance Contracts
- Token Management:
- Uses OpenZeppelin's IERC20 and SafeERC20 for token operations
- Tracks locked tokens per user and in total
- Prevents locking more than the total supply
- Voting Rights System:
- Tracks voting rights per user
- Provides snapshots of voting rights at specific blocks
- Enables querying of rights at specific snapshots and blocks
- Time Lock Mechanism:
- Manages proposal and voting time locks
- Prevents token withdrawal during lock periods
- Includes emergency override capability
- Access Control:
- Uses OpenZeppelin's AccessControl for role-based permissions
- Implements custom modifiers for governance contract access
- Implements controlled admin transfer process
Our Audit Process
Two highly experienced auditors from our team dedicated nearly seven days to the SciManager Smart Contract audit.
- Information Gathering
- Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
- Obtained a clear understanding of the SciManager Smart Contract’s functionality and intended user interactions.
- Discussed client concerns and specific areas of focus for the audit.
- Manual Code Review:
- Conducted a line-by-line review of the smart contract code, focusing on:
- Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues etc.
- Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
- Conducted a line-by-line review of the smart contract code, focusing on:
- Functional Testing:
- Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
- Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
- Reporting & Remediation:
- Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
- Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
- Collaborated with the PosciDondao team to prioritize and address the identified issues.
- Conducted additional verification testing after vulnerability fixes were implemented.
Comprehensive Audit Discoveries
1. Ownership Renouncement Risk in Access Control Implementation
Issue: The contract inherits from OpenZeppelin's AccessControl and uses DEFAULT_ADMIN_ROLE. If the admin renounces their role using the inherited renounceRole() function, it could permanently remove administrative control from the contract.
2. Admin Role Changes Should Be Two Step
Issue: The original implementation allowed administrative privileges to be transferred in a single step, creating risk if an incorrect address is provided.
3. Missing Same-Address Check in setGovOps()
Issue: The setGovOps() function was inconsistently implemented compared to setGovRes(), lacking a check against setting the same address.
4. Missing Total Supply Validation in Lock Function
Issue: The lock() function did not validate that the total locked amount would not exceed the TOTAL_SUPPLY_SCI, potentially allowing more tokens to be locked than should exist.
Conclusion
The PosciDonDAO SciManager Smart Contract security audit identified and addressed several vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the PoSciDonDAO Team has taken a significant step towards securing its platform and safeguarding user trust.
