On June 12th, we launched staking for the Delabs Adventure Pass. Today, we’re summarizing our audit with CertiK in accessible language for our community. You can view the official audit report and technical explanation on our CertiK page.
Audit Overview
First and foremost, our audit indicated no critical issues. Our team at Delabs Games has worked closely with CertiK to comprehensively address, mitigate, and resolve all Major and Minor issues.
The audit found nine findings in total.
The Findings
Informational: 3 (2 Resolved, 1 Acknowledged)
Minor: 4 (2 Resolved, 2 Acknowledged)
Major: 2 (All Mitigated)
To ease any concerns our community members may have about the “mitigated” result, this post will explain what “mitigated” means and why our smart contract is secure. In the screenshot below, the two Major Findings are classified under the Acknowledged category, but CertiK will update both of the Major Findings to “mitigated” shortly. This post will be updated to reflect the change.
Vulnerability Summary
Most smart contracts have privileged functions, meaning that only the owner or creator of the contract can execute the function. These functions are often used to manage the project. Some examples of privileged functions include setting token levels and integrating new functionality in the project. CertiK considers the existence of privileged functions to be a centralization risk. If a single account has access to the privileged functions of the smart contract, and that account gets compromised, it can damage the project.
In the past, projects such as bZx, MGold, Dego Finance, Vulcan Forged lost millions of dollars in user funds due to compromised keys.
CertiK has pointed out that the management functions and upgradability of our smart contract has some aspects of this centralization risk. As a result, we addressed this risk by transferring the privileged role to a smart-contract based account with enhanced security practices. Since CertiK considered our response to be appropriate and sufficient, they marked this issue with the mitigated status in our audit report. Once again, the screenshot in this post will be updated to reflect that the Major Findings are classified as mitigated.
Management
One of the main features of Delabs Adventure Pass Staking is that our contracts are upgradable. Upgradable contracts smoothly facilitate smart contract updates without changing the original contract address or contract data storage. As a result, data such as user balance remains the same. This means that our smart contract logic can be improved in the future to incorporate additional functions necessary to expand our ecosystem.
The list of privileged functions in Delabs Adventure Pass Staking provided by Certik is displayed below:
Since privilege functions are critical to the management of Delabs Adventure Pass Staking, we cannot simply resolve them by removing the issue to eliminate the risk. Instead, we’ve consulted with CertiK and followed their recommendation to mitigate these risks. Their recommendation involved two major steps: (1) multisig authorization and (2) 48-hour timelock.
Multisig Authorization
Multisig authorization requires multiple accounts to sign off on a proposed transaction before it executes, thus preventing a single compromised key from harming the project. Our team used Gnosis Safe to enforce multisig authorization for privileged functions. As a result, upgrades on our smart contract require two out of three members of the multisig to sign off on the proposed upgrade before the transaction can be executed.
48-hour Timelock
In addition, our project incorporates a 48-hour delay before the transaction is actually executed. This delay ensures that every change in our contract will be broadcasted to the network before the execution occurs. This transparency also gives users time to react and prepare accordingly.
Our Gnosis Safe and Timelock Addresses are available below:
Gnosis Safe #1 (2/3)
0xCf4448927d04e608d4Bbb791a3F0A63625C4eebF
0xAF1727B98C6B00FD8f334BEb77A28a5c24722991
0x80Bc41bC95b15649E7AfED50ad45Ba035c5D4a70
Timelock Address
0x26916b93c4370E04Ec085BF5C851B5a8036d0354
Conclusion
Overall, we want to highlight that privileged access (centralization) is a risk, not a bug, and these types of risks cannot be completely eliminated, only mitigated. Our work with CertiK ensures that:
Access to privileged functions is never managed by a single user
48 hours of notice and transparency is provided to the community
Our resolution efforts go further than other notable projects like Decentraland and 1inch’s Limit Order. These projects had similar centralization concerns but did not take steps to mitigate the risks.
As a whole, we hope that our use of multisig authorization and timelocks gives the community confidence in the security of our project.
Join our community to stay up to date.
Delabs Games Twitter: https://twitter.com/delabsOfficial
Rumble Racing Star Twitter: https://twitter.com/delabsRRS
Discord: https://discord.gg/delabsOfficial