DPex - Smart Contract Audit Report
Summary
DPex by the Passive Income team is a decentralized exchange, allowing users to swap tokens. We previously reviewed the team's token contract here.
We audited DPex's contracts at commit 028318900fe110abdd176f32f0c1ab2f8edbb3a9 on GitHub; and at the Kovan addresses below.
Audit Findings:
- DPex is a fork of Uniswap with a few key notable changes.
- The liquidity provider fee is 0.3%, matching Uniswap's.
- There is an additional 0.1% fee on transactions involving WETH and PSI. The fee amount can be updated via Governance; though it cannot exceed 20%.
- Half of this additional fee (0.05%) will be used to fund rewards to be distributed to holders of PSI token.
- Fees are collected by the Fee Aggregator, which has the ability to swap WETH to PSI for PSI-holder rewards; and also provides rewards to liquidity providers.
- The contract utilizes Chi gas token to drastically reduce the gas costs of adding/removing liqudity and swapping tokens.
- The team must provide the Chi gas tokens to be used by the contract.
- Governance operates using levels. Governance participants can grant any address any level below the caller's current level.
- The deployer of the contract is granted the Mastermind role (level 100); leading to somewhat centralized control of the platform.
- Access control via Governance includes the following roles: Mastermind (100+), Governer (50+), and Partner (10+).
- Having the Mastermind role also grants access to functions restricted to the lower-level roles.
- Anyone with the "mastermind" access level can update the Governance address in the FeeAggregator and Router at any time.
- Anyone with the Governer level or above can edit critical variables in the ecosystem (Router address, gas token address, FeeAggregator address, and more.
- The Partner access role is not used in the current implementation of the contracts.
- All contracts except the Router are behind Admin Upgradability Proxies; meaning the contracts can be upgraded at any time via Governance.
- Usage of ReentrancyGuard in applicable locations.
- Utilization of SafeMath to prevent overflows.
- Use of TransferHelper and SafeERC20 to ensure safe transfers.
Audit Findings Summary:- No security issues from outside attackers were identified.
- Ensure trust in the team as governance is somewhat centralized and critical variables & contracts can be upgraded at any time.
- The developer has performed KYC with our firm.
- Date: February 2nd, 2021
Name | Address | Description |
| ||
| ||
| ||
| ||
|
External Threats - Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |