Bird.Money Oracle V2 - Smart Contract Audit Report
Bird.Money has built an off-chain oracle, analytics, and lending platform. We previously reviewed the project's token contract here, and their lending platform here. For this audit, we analyzed the project team's V2 Oracle contract on GitHub at commit a7bcb6490875daaf8c414d9189f40254ec489435.
Notes of the Contract:
- This contract is used for the reporting and confirmation of off-chain data.
- The contract allows for a number of data providers (referred to as "Birds") to provide data upon a request where a payment in $BIRD is included.
- Each data provider has a status indicator showing if the provider is trusted. The team can change the status of data providers.
- When a data request is received, a minimum of two data providers must confirm an answer before it is considered valid. The team can update this threshold.
- Users looking to gain access to data can pay 1 BIRD to the contract for 30 days of access.
- If the number of providers gets very large, the loop that pays them could become very costly.
- Some functions can be declared external instead of public to save on gas.
- Utilization of SafeMath to prevent overflows.
- An external attacker could spam attack requests after purchasing access to the oracle; causing data providers to spend all of their available ETH providing unused answers.
- Date: April 5th, 2021
External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||N/A||PASS|
|Economic Issues||An attacker can pay 1 BIRD then initiate unlimited|
requests; draining data provider's funds.
|State Change External Calls||N/A||Pass|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||FAIL|
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public + [Int] IERC20 - [Ext] totalSupply - [Ext] balanceOf - [Ext] transfer # - [Ext] allowance - [Ext] approve # - [Ext] transferFrom # + Context - [Int] _msgSender - [Int] _msgData + Ownable (Context) - [Int]
# - [Pub] owner - [Pub] renounceOwnership # - modifiers: onlyOwner - [Pub] transferOwnership # - modifiers: onlyOwner + [Lib] SafeMath - [Int] add - [Int] sub - [Int] sub - [Int] mul - [Int] div - [Int] div - [Int] mod - [Int] mod + BirdOracle (Ownable) - [Pub] # - [Pub] addProvider # - modifiers: onlyOwner - [Pub] removeProvider # - modifiers: onlyOwner - [Pub] newChainRequest # - modifiers: paymentApproved - [Pub] updatedChainRequest # - [Pub] getRatingByAddress - modifiers: paymentApproved - [Pub] getRating - [Pub] getProviders - [Pub] sendPayment # - [Pub] rewardProviders # - [Pub] isApproved - [Pub] isApproved - [Pub] setMinConsensus # - modifiers: onlyOwner