Bird.Money Oracle V2 - Smart Contract Audit Report
Summary
Bird.Money has built an off-chain oracle, analytics, and lending platform. We previously reviewed the project's token contract here, and their lending platform here. For this audit, we analyzed the project team's V2 Oracle contract on GitHub at commit a7bcb6490875daaf8c414d9189f40254ec489435.
Notes of the Contract:Audit Findings:
- This contract is used for the reporting and confirmation of off-chain data.
- The contract allows for a number of data providers (referred to as "Birds") to provide data upon a request where a payment in $BIRD is included.
- Each data provider has a status indicator showing if the provider is trusted. The team can change the status of data providers.
- When a data request is received, a minimum of two data providers must confirm an answer before it is considered valid. The team can update this threshold.
- Users looking to gain access to data can pay 1 BIRD to the contract for 30 days of access.
- If the number of providers gets very large, the loop that pays them could become very costly.
- Some functions can be declared external instead of public to save on gas.
- Utilization of SafeMath to prevent overflows.
- An external attacker could spam attack requests after purchasing access to the oracle; causing data providers to spend all of their available ETH providing unused answers.
- Date: April 5th, 2021
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Economic Issues | An attacker can pay 1 BIRD then initiate unlimited requests; draining data provider's funds. | FAIL |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | Pass |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | FAIL |
Function Graph
Inheritence Chart
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Int] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Lib] SafeMath
- [Int] add
- [Int] sub
- [Int] sub
- [Int] mul
- [Int] div
- [Int] div
- [Int] mod
- [Int] mod
+ BirdOracle (Ownable)
- [Pub] #
- [Pub] addProvider #
- modifiers: onlyOwner
- [Pub] removeProvider #
- modifiers: onlyOwner
- [Pub] newChainRequest #
- modifiers: paymentApproved
- [Pub] updatedChainRequest #
- [Pub] getRatingByAddress
- modifiers: paymentApproved
- [Pub] getRating
- [Pub] getProviders
- [Pub] sendPayment #
- [Pub] rewardProviders #
- [Pub] isApproved
- [Pub] isApproved
- [Pub] setMinConsensus #
- modifiers: onlyOwner