DESCRIPTION
The SoSoValue Index Protocol is a cutting-edge spot index solution designed to make crypto investments simple and secured. SSI Protocol leverages on-chain smart contracts to repackage multi-chain, multi-asset portfolios into Wrapped Tokens (SSI). These tokens represent a basket of underlying assets, enabling Wrapped Tokens to track the value fluctuations of the spots basket, effectively achieving the effects of passive index investing.
The core contracts covered in this audit include SSI Protocol. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The SoSoValue team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 5 potential issues in the smart contract. We also have 5 recommendations and 5 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Incorrect check on amount in function withdraw() |
DeFi Security | Fixed |
| 2 | High | Insufficient status check in function rejectRedeemRequest() |
DeFi Security | Fixed |
| 3 | Medium | Lack of implementation of pause() and unpause() in contract USSI |
DeFi Security | Fixed |
| 4 | Medium | Potential replay attack in HedgeOrder and OrderInfo |
DeFi Security | Fixed |
| 5 | Medium | Potential out-of-gas when processing loops | DeFi Security | Fixed |
| 6 | - | Fix the typos | Recommendation | Fixed |
| 7 | - | Lack of invoking function _disableInitializers() |
Recommendation | Fixed |
| 8 | - | Remove unnecessary checks | Recommendation | Confirmed |
| 9 | - | Check parameters in the constructors and initializers | Recommendation | Fixed |
| 10 | - | Use safe ERC-20 operations | Recommendation | Fixed |
| 11 | - | Potential centralization risk | Note | - |
| 12 | - | Withdrawal may not occur within the expected timeframe | Note | - |
| 13 | - | Limited support tokens in the protocol | Note | - |
| 14 | - | Inconsistency of participant permissions in contracts AssetIssuer and USSI | Note | - |
| 15 | - | Additional checks for rescuing funds | Note | - |
More details are provided in the audit report.