DUCATO Protocol Security Audit Provided by CertiK

CertiK | Aug 18, 2020

Article's Poster

Who is DUCATO?

DUCATO is a Hybrid DeFi 2.0 protocol that combines the advantages of centralized finance, CeFi, with decentralized finance to build a more optimized blockchain ecosystem. Such advantages include providing reliability, speed, and decentralized stability through high liquidity smart contracts, among others.

The DUCATO Protocol allows users to lend and deposit assets, and provides rewards to users with the same cryptocurrency users. The aim is to provide user-centric services that expand to the network, and develop a credible algorithm and decentralized governance to reward users with the most amount of profit.

Additionally the DUCATO Protocol token, KRWD, removes all obstacles that arise between the different financial infrastructures across the world and contributes to the growth of the DeFi market.

The CertiK team was contracted by the DUCATO team to audit the design and implementation of their token smart contract and its compliance with the EIPs it is meant to implement.

About the Audit

The objective of the audit was to discover issues and vulnerabilities in the source code of the KRWD ERC-20 Smart Contract, as well as any contract dependencies that were not part of an officially recognized library.

CertiK’s suite of security experts reviewed and studied the following to uncover bugs that could compromise the software in production:

  1. The Solidity implementation for its business model, general design, and architecture
  2. Potential security vulnerabilities and issues

A comprehensive examination has been performed, utilizing Dynamic Analysis, Static Analysis, and Manual Review techniques.

Audit Details and Sources of Truth

While the sources of truth regarding the operations of the contracts in scope were minimal, CertiK was still able to fully assimilate and understand the code with the help from the tokens use-case.

To help aid our understanding of each contract’s functionality, the CertiK team referred to in-line comments and naming conventions. These were considered the specification, and when discrepancies arose with the actual code behavior, we consulted with the DUCATO team or reported an issue.

Summary and Recommendations

Stated from CertiK’s team of engineers, “the codebase of the project is a typical EIP20 implementation with additional support for a full transfer freezing mechanism and an approve-and-call mechanism for interacting with other contracts.

“Certain optimization steps that we pinpointed in the source code mostly referred to coding standards and inefficiencies and no vulnerabilities or attack vectors were identified during our audit.”

The codebase of the project strictly adheres to the standards and interfaces imposed by the OpenZeppelin open-source libraries and as such its typical ERC-20 functions can be deemed to be of high security and quality, however the custom functionality built on top of it possessed flaws we identified.

Overall, the codebase of the contracts should be refactored to assimilate the findings of this report, enforce linters and / or coding styles as well as correct any spelling errors and mistakes that appear throughout the code to achieve a high standard of code quality and security.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.