CoverCompared - Audit Report

Audit Summary

crypto_audit CoverCompared allows users to purchase insurance for crypto products from various platforms with support for gasless transactions for users.

For this audit, we reviewed the contracts folder at commit 85627d944e59b79b79c6d8ede59c794f52390f8d on the team's GitHub.

Please ensure trust in the team prior to investing as they have substantial control in the ecosystem and rely upon a significant amount of off-chain logic.

Date: January 7th, 2022.

Contracts Overview

InsureAce and NexusMutualCover Contracts:
Any user may use these contracts to purchase "insurance" from on-chain contracts using any allowed token.
Users may also buy insurance using ETH. Any extra ETH sent when purchasing will be returned to the sender.
Users will receive an NFT representative of their insurance when purchasing through the NexusMutualCover Contract.
The owner may update the Exchange Agent address and the address used to verify signatures at any time.
The owner may change the address where insurance is purchased from at any time.
The owner may add or remove a token from the allowed tokens at any time.
The owner may withdraw any tokens in the contract at any time.
The owner may pause the contracts at any time, disabling all purchasing functionality.
P4LCover and MSOCover Reports:
Any user may use these contracts to record the purchase of off-chain insurance purchases.
Users may purchase insurance using ETH; the ETH will be sent to a Dev wallet controlled by the team. Any extra ETH sent will be returned to the user.
Users may also purchase insurance using any approved tokens; the tokens will also be sent to a Dev wallet controlled by the team.
Insurance is purchased through the use of an off-chain signed message.
The owner may update the Exchange Agent and the address used to verify signatures at any time.
The owner may add or remove accepted tokens at any time.
The owner may pause the contracts at any time, disabling all purchasing functionality.
ExchangeAgent Contract:
This contract is used to hold and exchange various whitelisted tokens to facilitate the purchase of insurance.
Whitelisted contracts may swap between two tokens as well as tokens and ETH.
A Time Weighted Average Price (TWAP) oracle is used to determine the current market value of provided tokens. The TWAP was outside the scope of this audit so we are unable to provide an assessment of this contract in regard to security.
Any token or ETH that is going to be swapped must be provided to this contract, otherwise swaps will be unable to occur.
When using the platforms native CRV token, users receive a 25% discount.
The owner may add and remove any address from the contract whitelist at any time.
The owner may add and remove any token from the token whitelist at any time.
The owner may withdraw any ETH or token in the contract at any time.
The owner may adjust the discount for using CRV tokens to any value at any time.
BasicMetaTransaction Contract:
This contract allows dApps to interact with the Biconomy platform.
The Biconomy platform allows for gasless transactions for users and paying gas fees in ERC20 tokens.
Users sign a message containing a function call off-chain. This message is then executed through the platform paying the gas cost through the user.
MultiSigWallet Contract:
Any number of addresses used to verify signed messages are declared upon deployment, as well as the required number of verifications for a message to be considered confirmed.
Signers submit transactions where they are subsequently added to a queue.
Each signer is then able to confirm any of the transactions in the queue.
Signers are also able to revoke their confirmation from a transaction, if they have previously confirmed it.
Once a transaction has reached the specified number of confirmations, any user may trigger the execution of the transaction.
The team should exercise caution when adding signers, as transactions contain calls to execute arbitrary logic.
Notes Across All Contracts
Use of reentrancy guard where appropriate.
As the contracts are implemented with 0.8.X they are protected from overflows.

External Threat Results

Vulnerability Category	Notes	Result
Arbitrary Storage Write	N/A	PASS
Arbitrary Jump	N/A	PASS
Centralization of Control	The team retains the listed ownership controls until ownership is given to the MultiSigWallet. Large portions of the platform's functionality rely on off-chain logic. The team may update the contracts where user's funds are sent to purchase insurance.	WARNING
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Deprecated Opcodes	N/A	PASS
Ether Thief	N/A	PASS
Exceptions	N/A	PASS
External Calls	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	N/A	PASS
Multiple Sends	N/A	PASS
Suicide	N/A	PASS
State Change External Calls	N/A	Pass
Unchecked Retval	N/A	PASS
User Supplied Assertion	N/A	PASS
Critical Solidity Compiler	N/A	PASS
Overall Contract Safety		PASS

Name	Address/Source Code	Visualized (Hover-Zoom Recommended)
BasicMetaTransaction	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
ExchangeAgent	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
InsurAceCover	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
MSOCover	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
MultiSigWallet	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
NexusMutualCover	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.
P4LCover	GitHub (Not yet deployed on mainnet)	Function Graph. Inheritance Chart.

Go Home