Our First Audit

CTDSec Audit Report and Additional Information

We are pleased to report that our first code audit has now been completed by CTDSec.

No High severity or Medium severity issues were found during the process.

The audit was technical in nature and focused on identifying any security flaws in the design and implementation of the contract.

The audited files include all core contracts for the platform, such as the AMM/Swap alterations made by our core developer “Crispymangoes” and all of the custom contracts such as our fee manager, price oracle etc.

The CTDSec audit was carried out on the previously private Github repository that has now been made public and can be viewed here:
https://github.com/inthenextversion/audit-gravity-core-ctdsec

The full report can be found here; Cybersecurity_Audit_CTDSEC_Gravity_v4.pdf

As per the report, no high or medium severity issues were noted. One low severity issue has been noted which is something we will monitor as we grow.

In section 4, the auditor notes “Owner Privileges” and some info about the privileges on various SCs and functions. Following conversations with the auditor, additional information about these functions and privileges has been added to the report.

These additional notes are provided so the reader doesn’t need to be a smart contract developer to understand the audit and will allow everyone to read and understand what the functions do and in what capacity they are used.

Example;

The first note is “WalletTimeLock” and says “No access to user funds” and “Owner can withdraw any ERC20 Tokens”.

“No access to user funds” is fine and self explanatory, but “Owner can withdraw any ERC20 Tokens” could be confusing and concerning for a user who does not know what the “WalletTimeLock” SC/function actually does and in what situations it might be used. Therefore we have provided the auditor with the “Dev Update” information that can be seen throughout section 4 and they have confirmed that this information is accurate.

To continue with the above example of the “WalletTimeLock”, the additional information now explains that certain project wallets will be under a 7-day time lock, this is for user peace of mind so that users know the team does not have instant access to large amounts of unlocked GFI tokens, such as the GFI Farming Rewards wallet and that if this wallet is accessed for any reason it will take 7 days for the timelock to allow a function to be called.

In this 7 day period the WalletTimeLock contract will emit an event on-chain that users can monitor. The event explains exactly what is happening (i.e. GFI Farm Reward Wallet is moving GFI from Wallet to a new address), and users can verify the number of coins moving, where they are going and why. There are lots of these types of notes in the audit report and we encourage everyone to read the full report thoroughly.

Automating Smart Contract Monitoring

As above with users monitoring smart contracts and wallets for events. This can be done manually, i.e. a user could go to their preferred Polygon Explorer every day and check for any new events on those smart contracts and then read the event to understand what is happening, however, thanks to Open Zeppelin this process can now be monitored and reported on automatically, using OZ Sentinels.

OZ Sentinels allows any user to set up an automated monitor for any smart contract or wallet and any functions. These Sentinels can then send the user a notification if an event is detected. Better yet, these notifications can be set up to a variety of social media platforms, webhooks, emails etc meaning they are extremely versatile for group alerts (Telegram, Discord etc) or individual notifications to an individual who wants to monitor a specific event in a specific address.

We want to encourage our users to set up and run their own OZ Sentinels for major functions and owner privileges in the sensitive contracts such as the Governance Contract etc.