Premia - Smart Contract Audit Report
Summary
Premia is a Decentralized Financial Instrument Protocol. Premia delivers Financial Instruments as a Service to Users, in which the use of the Premia Token is incentivized through various methods. The project phase 1 effort has been reviewed here, providing the functionality to underwrite financial contracts traditionally known as Physically Settled, American Style, Covered Call and Put Options
Audit Findings Summary:Notes on Individual Contracts
- No security issues from outside attackers were identified.
- Investing requires placing trust in the project team as they have substantial power in the ecosystem. The team can upgrade many of the platform's contracts and update other critical variables.
- Date: January 28th, 2021
FeeCalculator:
- This contract sets and calculates fees for the platform.
- Default fees are set upon deployment.
- The team has the power to update fee percentages. However, it is important to note that these fees have been coded not to exceed 5%; thereby preventing abuse.
- The team also has the ability to exclude addresses from incurring fees.
PremiaBondingCurve:- This contract is for buying (and selling) tokens using ETH along a bonding curve.
- This contract can be upgraded by the team after a 7 day delay.
PremiaDevFund:- This contract holds funds for the development team.
- The team has the power to initiate a withdrawal at any time.
- All withdrawals from the contract are delayed by 3 days.
PremiaErc20:- This is the contract for the Premia ERC20 token.
- The contract is ERC20 token which also conforms to the ERC2612 (to permit 712-signed approvals) standards.
PremiaFeeDiscount:- This contract provides a discount to fees incurred on the protocol.
- Users can stake xPremia tokens in order to recieve fee discounts. Discounts are based upon the amount of tokens staked into the contract; and are not deducted for platform use.
- Different staking 'levels' exist based on deposit amounts; providing different discount amounts determined by the team.
- Staked funds are locked for an amount of time to be determined by the team. Funds that have been staked for a set period of time can not have that time period extended.
- The amount of fee discounts allocated to users can be updated by the team as well.
- If this contract is upgraded, users will need to manually call a function to migrate to the new platform.
PremiaMaker:- This contract allows users to convert tokens directly into Premia and stake them all in one function.
- The team can update the percentage of protocol fees the treasury will receive from user activity through the contract.
PremiaMarket:- This contract is the where the options market takes place.
- Users can create (and cancel) orders with set expiration times to purchase options on specified assets.
- Users can buy/sell options currently on the market, or they can create an order for a new option (on a supported asset) with the details of their choosing.
- Users can choose to delay the time when their option will written to the time when it is sold on the market; if the team enables this feature. This enables sellers to potentially save gas when creating orders.
- Users can also claim uPremia tokens proportional to the value of the fees spent on the platform in USD.
- Admins can add and remove options contracts (representing assets; discussed below) that can be be traded on the platform.
- The team can also update the tokens that can be used as payment on the platform; as well as the addresses of the uncut token and the fee receiver.
PremiaMining:- This contract will allow users to stake uPremia tokens (discussed below) in order to earn Premia tokens as a reward. This effectively allows users to stake the fees they spent using the platform.
- The team has the ability to add tokens that can be staked and update the rewards allocated to each token staking pool.
- This contract cannot be upgraded by the team.
PremiaOption:- This multi-standard token (ERC1155) contract represents option contracts held by users.
- Similar to how a user can approve another address (or contract) to spend its tokens; users can allow other addresses/contracts move and excercise their options.
- After exercising an option, users can remove the collateral originally put up for the option. Collarteral put up to enter will not alwyas equal the collateral withdrawn. Users' collateral, rather, is calculated as a percentage of the total collateral in the pool.
- When an option is 'in the money' (meaning the call strike price is below the current price; or the put strike price is above the current price), users can 'flash exercise' the option. This allows a user to use a portion of the collateral they put up to swap into to the token required to exercise the option & pay protocol fees. The profits from the execution are sent to the address exercising the option.
- As all collateral is held in this contract, anyone has the ability to take out a flash loan from the platform; borrowing up to the total collateral amount and paying back that amount with an additonal fee.
- Users can provide a referrer address when utilizing parts of the platform; enabling the referrer to collect some of the protocl fees spent by their referral.
- The team can set the maximum delay between placing a sell order and when that order expires in the PremiaOption contract. The default is 1 year.
- The team can add tokens to allow options to be underwritten on those assets and update addresses for the fee receiver, the referral storage contract, the uPremia token, whitelisted order routers for option execution (Uniswap), and token metadata.
PremiaPBC:- This is the contract for the initial sale of Premia tokens.
- Users can provide ETH to the contract during the time period specified by the team. At the end of the period, users will be able to claim Premia tokens proportional to the ETH contributed.
- ETH collected in the contract is sent to the project team's treasury address.
PremiaReferral:- This contract keeps track of user referrals in the Premia ecosystem.
- The owner can set which addresses/contracts are allowed to update referrals.
PremiaStaking:- This is the xPremia token contract which includes staking functionality within the same contract.
- Users have the ability to stake Premia tokens and mint xPremia tokens in return.
- The amount of xPremia received by the user is variable and based on the amount of Premia in the contract and the amount of xPremia minted.
- Users can unstake at any time; relinquishing their xPremia tokens for Premia tokens.
- This contract cannot be upgraded or altered by the team.
PremiaUncutErc20:- This is the uPremia token contract that is provided to users when they utilize the platform.
- The token is not tradable, but it represents approximatley $1 USD in value spent as fees on the platform. Prices are determined by the PriceProvider contract.
- The project team can whitelist addresses that are permitted to transfer the token.
PremiaVesting:- This contract holds funds allocated to the project team.
- Premia tokens in the contract are unlocked over a period of 365 days; gradually allowing the team to withdraw their allocated funds.
PriceProvider:- This contract is used to provide prices to the PremiaUncutErc20 contract.
- The prices in USD for tokens is set manually by the project team.
Security Best Practices:- The Premia GitHub includes over 150 passing test cases and robust documentation.
- The project uses the latest known-to-be-stable major version of Solidity.
- Excellent structuring of logic to prevent reentrancy attacks; and usage of ReentrancyGuard in all other applicable & publicly-accessible functions.
- Proper sanity checks are in place in functions where calls to user-provided addresses occur.
- SafeMath libraries and SafeERC20 interfaces are used to prevent overflows throughout the contracts.
- The contracts comply with the relevant ethereum standards (ERC20, ERC1155, ERC2612).
- The contracts will be owned/administered by the team through a 3/4 multi-sig timelock to reduce the risk associated with a team member's keys being compromised.
Note regarding Upgrades:- The team has the power to upgrade/alter various integral parts of the ecosystem - Some Premia contracts are intended to be deployed in an upgradable manner so the team can introduce new features as the project evolves.
- If an update occurs, depending on which contracts are updated, users may have to call a function to migrate their funds to the upgraded platform.
Name | Address/Source Code | Visualized |
FeeCalculator | ||
PremiaBondingCurve | ||
PremiaDevFund | ||
PremiaErc20 | ||
PremiaFeeDiscount | ||
PremiaMaker | ||
PremiaMarket | ||
PremiaMining | ||
PremiaOption (One per asset) | ||
PremiaPBC | ||
PremiaReferral | ||
PremiaStaking | ||
PremiaUncutErc20 | ||
PremiaVesting | ||
PriceProvider |
External Threats - Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| External Service Providers | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Reentrancy Issues | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |