Bird.Money Oracle V2 - Smart Contract Audit Report


Bird Oracle Token Audit Report Bird.Money has built an off-chain oracle, analytics, and lending platform. We previously reviewed the project's token contract here, and their lending platform here. For this audit, we analyzed the project team's V2 Oracle contract on GitHub at commit a7bcb6490875daaf8c414d9189f40254ec489435.

Notes of the Contract:
  • This contract is used for the reporting and confirmation of off-chain data.
  • The contract allows for a number of data providers (referred to as "Birds") to provide data upon a request where a payment in $BIRD is included.
  • Each data provider has a status indicator showing if the provider is trusted. The team can change the status of data providers.
  • When a data request is received, a minimum of two data providers must confirm an answer before it is considered valid. The team can update this threshold.
  • Users looking to gain access to data can pay 1 BIRD to the contract for 30 days of access.

  • If the number of providers gets very large, the loop that pays them could become very costly.
  • Some functions can be declared external instead of public to save on gas.
  • Utilization of SafeMath to prevent overflows.
Audit Findings:
  • An external attacker could spam attack requests after purchasing access to the oracle; causing data providers to spend all of their available ETH providing unused answers.
  • Date: April 5th, 2021

External Threat Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Economic IssuesAn attacker can pay 1 BIRD then initiate unlimited
requests; draining data provider's funds.
Ether ThiefN/APASS
External CallsN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
State Change External CallsN/APass
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety FAIL

Function Graph

ERC20 Token Graph

Inheritence Chart

Multi-file Token

Functions Overview

 ($) = payable function
 # = non-constant function
 Int = Internal
 Ext = External
 Pub = Public
 + [Int] IERC20 
    - [Ext] totalSupply
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 +  Ownable (Context)
    - [Int]  #
    - [Pub] owner
    - [Pub] renounceOwnership #
       - modifiers: onlyOwner
    - [Pub] transferOwnership #
       - modifiers: onlyOwner

 + [Lib] SafeMath 
    - [Int] add
    - [Int] sub
    - [Int] sub
    - [Int] mul
    - [Int] div
    - [Int] div
    - [Int] mod
    - [Int] mod

 +  BirdOracle (Ownable)
    - [Pub]  #
    - [Pub] addProvider #
       - modifiers: onlyOwner
    - [Pub] removeProvider #
       - modifiers: onlyOwner
    - [Pub] newChainRequest #
       - modifiers: paymentApproved
    - [Pub] updatedChainRequest #
    - [Pub] getRatingByAddress
       - modifiers: paymentApproved
    - [Pub] getRating
    - [Pub] getProviders
    - [Pub] sendPayment #
    - [Pub] rewardProviders #
    - [Pub] isApproved
    - [Pub] isApproved
    - [Pub] setMinConsensus #
       - modifiers: onlyOwner