DESCRIPTION
Noah DAO is a decentralized exchange built on the EOS EVM. It introduces a mechanism to incentivize liquidity provision and active governance participation by rewarding users with protocol tokens and voting rights, thereby aligning interests within the ecosystem.
After depositing the corresponding LP tokens into the gauge, liquidity providers are rewarded with protocol tokens. By locking these protocol tokens, users gain voting rights and eligibility for esToken unlocking quotas. Those holding voting rights can then participate in voting to earn rewards from swap fees and bribe incentives.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Noah DAO development team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 21 potential issues in the smart contract. We also have 7 recommendations and 6 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Index out of Bounds for the Empty Array | Software Security | Fixed |
| 2 | Medium | Improper Use of the Keyword Memory |
Software Security | Fixed |
| 3 | Low | Incorrect Index in getPriorSupplyIndex |
Software Security | Fixed |
| 4 | Medium | Potential Loop from Self-Calling | Software Security | Fixed |
| 5 | Low | Incorrect Validation of Withdrawal Rate | Software Security | Fixed |
| 6 | High | Miscalculated Bribe Rewards (I) | DeFi Security | Fixed |
| 7 | High | Miscalculated Bribe Rewards (II) | DeFi Security | Fixed |
| 8 | Medium | Timely invocation of update_period() before setReleaseFactor() and setPledgeFactor() |
DeFi Security | Acknowledged |
| 9 | Medium | Timely invocation of distribute() in notifyRewardAmount() |
DeFi Security | Confirmed |
| 10 | Medium | Reward for Killed Gauge Being Locked | DeFi Security | Confirmed |
| 11 | Medium | Lack of Checks for Gauges that Do Not Support Voting | DeFi Security | Confirmed |
| 12 | Medium | Reward Token can be Managed by Users with Different Privileges | DeFi Security | Fixed |
| 13 | Medium | Timely invocation of claimfees() in Gauge |
DeFi Security | Acknowledged |
| 14 | High | Failed to Notify Rewards due to the Reentrancy Lock | DeFi Security | Fixed |
| 15 | High | Swap Fee Rewards cannotDistribution Mechanism does not Work | DeFi Security | Fixed |
| 16 | High | Manipulated Unlocking Duration | DeFi Security | Fixed |
| 17 | Medium | Risk of Voting Power Manipulation when is_unlock is True |
DeFi Security | Acknowledged |
| 18 | Medium | Lack of Check of Function withdrawToken |
DeFi Security | Fixed |
| 19 | Low | Inconsistent Status Update during Voting Process | DeFi Security | Fixed |
| 20 | Medium | Miscalculated poolWeight with Duplicated Pool Voting |
DeFi Security | Fixed |
| 21 | High | Incorrect Reward Calculations from Inappropriate Check | DeFi Security | Fixed |
| 22 | - | Lack of Zero Address Check | Recommendation | Confirmed |
| 23 | - | Redundant Functions | Recommendation | Fixed |
| 24 | - | Redundant Invocation of Function _updateFor |
Recommendation | Fixed |
| 25 | - | Meaningless Usage of max | Recommendation | Fixed |
| 26 | - | Inappropriate Variable Naming | Recommendation | Confirmed |
| 27 | - | Lack of Check for releaseFactor and pledgeFactor |
Recommendation | Confirmed |
| 28 | - | Redundant Check in Function mint_marketing |
Recommendation | Fixed |
| 29 | - | Potential Centralization Problem | Note | Confirmed |
| 30 | - | Timely deployment contracts | Note | Confirmed |
| 31 | - | Non-Linear Unlocking in Multiple Claims | Note | Confirmed |
| 32 | - | Token Release for Team and VC without Time Restrictions | Note | Confirmed |
| 33 | - | Potential Inequity Function poke() of the Contract Voter |
Note | Confirmed |
| 34 | - | Incompatible Tokens | Note | Confirmed |
More details are provided in the audit report.