Delabs Games

Share this post

Adventure Pass Staking Contract Audit

delabs.substack.com

Discover more from Delabs Games

Official news and game updates
Continue reading
Sign in

Adventure Pass Staking Contract Audit

An Overview of the Staking Contract Audit with CertiK

Delabs Games
Jun 26, 2023
Share

On June 12th, we launched staking for the Delabs Adventure Pass. Today, we’re summarizing our audit with CertiK in accessible language for our community. You can view the official audit report and technical explanation on our CertiK page.

Audit Overview

First and foremost, our audit indicated no critical issues. Our team at Delabs Games has worked closely with CertiK to comprehensively address, mitigate, and resolve all Major and Minor issues. 

The audit found nine findings in total.

The Findings

Informational: 3 (2 Resolved, 1 Acknowledged)

Minor: 4 (2 Resolved, 2 Acknowledged)

Major: 2 (All Mitigated)

To ease any concerns our community members may have about the “mitigated” result, this post will explain what “mitigated” means and why our smart contract is secure. In the screenshot below, the two Major Findings are classified under the Acknowledged category, but CertiK will update both of the Major Findings to “mitigated” shortly. This post will be updated to reflect the change.

Subscribe for more Delabs Games updates.

Vulnerability Summary

Most smart contracts have privileged functions, meaning that only the owner or creator of the contract can execute the function. These functions are often used to manage the project. Some examples of privileged functions include setting token levels and integrating new functionality in the project. CertiK considers the existence of privileged functions to be a centralization risk. If a single account has access to the privileged functions of the smart contract, and that account gets compromised, it can damage the project.

In the past, projects such as bZx, MGold, Dego Finance, Vulcan Forged lost millions of dollars in user funds due to compromised keys.

CertiK has pointed out that the management functions and upgradability of our smart contract has some aspects of this centralization risk. As a result, we addressed this risk by transferring the privileged role to a smart-contract based account with enhanced security practices. Since CertiK considered our response to be appropriate and sufficient, they marked this issue with the mitigated status in our audit report. Once again, the screenshot in this post will be updated to reflect that the Major Findings are classified as mitigated.

Excited about what we’re building at Delabs Games? Share this post with a friend!

Share

Management

One of the main features of Delabs Adventure Pass Staking is that our contracts are upgradable. Upgradable contracts smoothly facilitate smart contract updates without changing the original contract address or contract data storage. As a result, data such as user balance remains the same. This means that our smart contract logic can be improved in the future to incorporate additional functions necessary to expand our ecosystem.

The list of privileged functions in Delabs Adventure Pass Staking provided by Certik is displayed below:

Since privilege functions are critical to the management of Delabs Adventure Pass Staking, we cannot simply resolve them by removing the issue to eliminate the risk. Instead, we’ve consulted with CertiK and followed their recommendation to mitigate these risks. Their recommendation involved two major steps: (1) multisig authorization and (2) 48-hour timelock.

Multisig Authorization

Multisig authorization requires multiple accounts to sign off on a proposed transaction before it executes, thus preventing a single compromised key from harming the project. Our team used Gnosis Safe to enforce multisig authorization for privileged functions. As a result, upgrades on our smart contract require two out of three members of the multisig to sign off on the proposed upgrade before the transaction can be executed.

48-hour Timelock

In addition, our project incorporates a 48-hour delay before the transaction is actually executed. This delay ensures that every change in our contract will be broadcasted to the network before the execution occurs. This transparency also gives users time to react and prepare accordingly.

Our Gnosis Safe and Timelock Addresses are available below:

Gnosis Safe #1 (2/3)

0xCf4448927d04e608d4Bbb791a3F0A63625C4eebF

0xAF1727B98C6B00FD8f334BEb77A28a5c24722991

0x80Bc41bC95b15649E7AfED50ad45Ba035c5D4a70

Timelock Address

0x26916b93c4370E04Ec085BF5C851B5a8036d0354

Conclusion

Overall, we want to highlight that privileged access (centralization) is a risk, not a bug, and these types of risks cannot be completely eliminated, only mitigated. Our work with CertiK ensures that:

  1. Access to privileged functions is never managed by a single user

  2. 48 hours of notice and transparency is provided to the community

Our resolution efforts go further than other notable projects like Decentraland and 1inch’s Limit Order. These projects had similar centralization concerns but did not take steps to mitigate the risks.

As a whole, we hope that our use of multisig authorization and timelocks gives the community confidence in the security of our project.

Join our community to stay up to date.

Delabs Games Twitter: https://twitter.com/delabsOfficial 

Rumble Racing Star Twitter: https://twitter.com/delabsRRS 

Discord: https://discord.gg/delabsrrs

Share
Top
New

No posts

Ready for more?

© 2023 DELABS. ALL RIGHTS RESERVED
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing