Exeedme Gaming Ecosystem
Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
Coverage of Issues
Exeedme Gaming Ecosystem
Independent Security Assessment
01 Executive Summary
02 Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
03 Audit Methodology
The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.
• Project Diagnosis
Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.
• Manual Code Review
Reading your source code line-by-line to identify potential vulnerabilities.
• Specification Comparison
Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.
• Test Coverage Analysis
Determining whether the test cases cover your code and how much of your code is exercised.
• Symbolic Execution
Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.
Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.
04 Coverage of Issues
05 Finding Detailed Analysis
Centralized Pause Privilege
The administrative role possesses unilateral power to pause and unpause all token transfers across the ecosystem.
Decentralize the pause authority through a multi-sig or timelock to prevent single-point-of-failure risks.
If the administrator's private key is compromised, an attacker could permanently 'pause' all XED token transfers. This would effectively lock all users' assets in their wallets, making them untradeable and causing immediate and total protocol collapse in terms of market liquidity.
Premature Vesting Activation Vector
The admin can reset activation times for vesting schedules, which could allow tokens to be unlocked ahead of the public roadmap.
Limit the admin's ability to change activation times once tokens are initially locked.
A rogue administrator could change the 'activationTime' of a large investor's or founder's vesting schedule to a past date. This would allow for an immediate dump of millions of locked tokens on the open market, long before the agreed-upon release dates, potentially causing a massive price crash.
Unconstrained Token Migration Power
Admin roles can initiate token migrations from vesting contracts to new addresses without built-in delays.
Implement a 48-hour timelock for any treasury migration actions to allow community monitoring.
An administrator (or attacker who gained access to the owner role) could trigger the migration function to transfer the entire vesting treasury to a private wallet. Without a mandatory delay period, these millions of dollars in tokens could be moved and sold before the community or monitoring tools could even detect the transaction.
BACKCODE ANALYTICS
Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.