DESCRIPTION
The target of this audit is the code repository of Fiat24 Contracts of Mantle. Fiat24 is a digital banking platform built on blockchain technology that bridges banking services with the crypto ecosystem. The platform provides NFT-based digital accounts as unique identifiers for users, with each account represented as an ERC-721 token featuring customizable features and status management. Fiat24 supports multiple fiat currencies through tokenized representations, including USD24, EUR24, CHF24, GBP24, and CNH24, with real-time exchange rates and seamless cross-currency transactions. The platform features crypto deposit functionality that enables users to deposit USDC and other cryptocurrencies, automatically converting them to fiat tokens at current market rates.
Please refer to the report for the detailed audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains 1 high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Fiat24 Contracts team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 9 potential issues in the smart contract. We also have 6 recommendations and 7 notes, as follows:
| ID | Severity | Description | Status |
|---|---|---|---|
| 1 | High | Incorrect permission check in function updateExchangeRate() |
Fixed |
| 2 | Medium | Potential front-running attacks when updating exchange rates | Confirmed |
| 3 | Medium | Fixed exchange rates during initialization creates front-running risk | Confirmed |
| 4 | Low | Potential DoS risk in the function _removeFailedKey() |
Fixed |
| 5 | Low | Inconsistent mechanism of updating exchange rates | Confirmed |
| 6 | Low | Incorrect rounding direction in the functions authorize() and increment() |
Confirmed |
| 7 | Low | Lack of checks for the parameters cardCurrency_ and originalPaidCurrency_ |
Confirmed |
| 8 | Low | Fiat24 tokens received by a fiat24account with specific status will be locked |
Confirmed |
| 9 | Low | Inconsistent access control | Fixed |
| 10 | - | Inconsistency between the comment and the codes | Fixed |
| 11 | - | Lack of duplication check on the fiatName in the function addFiatToken() |
Fixed |
| 12 | - | Add zero address checks | Confirmed |
| 13 | - | Lack of duplication check in the function addTokenAddress() |
Confirmed |
| 14 | - | Confusing naming for the variable _amountOutMinimum |
Confirmed |
| 15 | - | Lack of non zero value check in the function updateExchangeRates() |
Confirmed |
| 16 | - | Atomicity in Fiat24 card authorization process |
- |
| 17 | - | Lack of fiat tokens removal mechanism | - |
| 18 | - | The parameter _amountOutMinimum should be validated in the backend |
- |
| 19 | - | Upgrade the implementation of Fiat24Token properly |
- |
| 20 | - | Ensure that the exchangeRates and validXXX24Tokens are set properly |
- |
| 21 | - | Initialize the implementation contracts immediately after deployments | - |
| 22 | - | Potential centralization risks | - |
More details are provided in the audit report.