Roco Finance Ecosystem
Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
Coverage of Issues
Roco Finance Ecosystem
Independent Security Assessment
01 Executive Summary
02 Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
03 Audit Methodology
The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.
• Project Diagnosis
Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.
• Manual Code Review
Reading your source code line-by-line to identify potential vulnerabilities.
• Specification Comparison
Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.
• Test Coverage Analysis
Determining whether the test cases cover your code and how much of your code is exercised.
• Symbolic Execution
Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.
Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.
04 Coverage of Issues
05 Finding Detailed Analysis
Inappropriate Handling of Admin Rights
The lock and unlock functions for specific user actions are managed through a centralized admin role without sufficient oversight.
Implement a time-lock or multi-sig requirement for administrative locking actions.
A compromised administrator account could maliciously call the 'lock' function on high-volume traders or competitors, preventing them from interacting with the protocol during peak market volatility, effectively performing a targeted Denial of Service (DoS).
Missing Constraints for BalanceTemp
The 'setBalanceTemp' function lacks upper-bound constraints, allowing it to be set to values that could disrupt internal logic.
Add strict require statements to ensure 'BalanceTemp' remains within a reasonable range.
If the administrator sets 'BalanceTemp' to zero or an extremely large value by mistake (or malice), it can cause the staking reward calculations to underflow or overflow, preventing users from claiming their dividends.
Missing Constraints for Parameter Settings
Critical parameters such as startTime, endTime, and FeeRate lacked initial constraints. Specifically, FeeRate was not capped.
Enforce a hard cap of 10% on FeeRate and validate time parameters.
A rogue admin could set the 'FeeRate' to 100%, effectively taking all user rewards as fees when users attempt to claim their staked dividends. Users would receive 0 tokens while the fee wallet collects the full reward.
Improper Design of Emergency Withdrawal
The 'withdrawEmergencyUser' function depends on a global 'disable' variable that, if set incorrectly, can brick the escape mechanism.
Ensure emergency functions are always accessible regardless of secondary logic flags.
In a scenario where the main protocol suffers a bug and needs to be paused, if the 'disable' flag is inadvertently set to true, the emergency withdrawal functionality—which is designed for such moments—will be inaccessible, trapping user funds indefinitely.
Missing Constraint for setPerRocoSecond
The reward rate ('setPerRocoSecond') can be changed arbitrarily by the admin, affecting live staking pools.
Limit the percentage change of reward rates per cycle or implement a delay period.
The admin could attract users with a high reward rate (APY), and immediately after a large amount of TVL is staked, they could lower the 'setPerRocoSecond' to near-zero, drastically reducing the ROI for users who are now locked in.
Informational Finding mapping from Neutral
Analysis of the neutral FP-6 report category reveals informational improvements for code readability and library usage.
Standardize formatting across internal libraries.
While not directly exploitable, poor code readability can lead to maintenance errors in future upgrades, potentially introducing critical bugs during hot-fixes.
BACKCODE ANALYTICS
Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.