Ulam Labs Smart Contract Audit for SuperBonds
June 2, 2022
This blog post is fully centered around the result and completion of the SuperBonds Smart Contract Audit, which was successfully conducted by the Ulam Labs Team. Here you will find a summary of the report, as well as a brief description of the found vulnerabilities and the steps our team decided to take to identify and validate each issue.
The official findings were released on the 31 of March 2022. We thank the Team at SuperBonds for trusting us with the supervision and completion of this security assessment.
Ulam Labs Smart Contract Audit Scope
The main objective of the Audit was to analyze and access the security of the SuperBonds smart contracts before the official launch of their product. SuperBonds is the first bond market in the DeFi space that runs on the Solana blockchain. It uses NFTs to offer fixed-yield bonds that can be redeemed at any time. What’s unique about SuperBonds is that the rates are paid in USDC, bringing high predictability to the NFT owner, contrary to other yield generating platforms that depend on tokens with fluctuating prices.
Ulam Labs has collaborated with SuperBonds over the smart contracts that power the platform and make it trustless.
The evaluation was performed remotely by Ulam Labs security team from February 3rd until the 29th of March 2022. The main focus was to provide an analysis of the following objectives:
- provide SuperBonds with an overview of the state of their security posture. Security posture is a measure of the controls and processes a company has in place to protect their product from cyberattacks. Also, it has the ability to detect and contain attacks, react and recover from security breaches and measures the overall level of visibility of the companies asset inventory, the automation of security programs and attack surfaces
- provide an in-depth opinion on the maturity, adequacy and efficiency of the security measures. Identify all potential security issues and include improvement recommendations based on the final results of the performed tests
- provide a fully transparent confirmation of the remediations of the issues found and reported
During the security assessment that Ulam Labs security team performed, few issues came to the surface and were classified as the following chart displays:
All the findings mentioned above were provided by the Ulam Labs team and acknowledged by the SuperBonds team and subsequently fixed. Our team also reviewed the code after all the fixes were merged.
Critical Issue #1
Many instances of staking pool are breaking contract state causing minimal rewards for honest users and big rewards for users using one instance of staking pool. To solve this matter, fixes were applied to the source code.
Critical Issue #2
Malicious users can choose one pool for trade and one pool for redeem, breaking the contract state and earning more than planned. The check, if the state trade pool key is the same as the pool key, should be added in the process_redeem instruction and those fixes are applied to the source code.
Critical Issue #3
In the process_trade instruction a new instance of TradeState is being initialized. Although, no checks are performed that would determine if an account is already initialized.
Alongside the critical issues, high, medium and low issues were identified and fixed. Click here to see the full report.
About Ulam Labs
Ulam Labs is a custom software development company founded in 2017. Over the years, we have grown to 60+ people and developed a strong specialization in blockchain and crypto areas.
We cover projects end-to-end, taking ideas into designs and fully functional applications. A major part of our operations is around smart contract audits, on Algorand, Solana, Flow, and more.
If you would like us to perform a smart contract audit for you, please don't hesitate to get in touch with us.