DESCRIPTION
Multichain is the ultimate Router for web3. It is an infrastructure developed for arbitrary cross-chain interactions. The core contracts covered in this audit include the veMULTI contracts in the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope. Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we did not find any critical issues within the audited codebase. However, we have identified nine non-critical issues that should be addressed. Additionally, we have put five recommendations to further strengthen the code logic. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 9 potential issues in the smart contract. We also have 5 recommendations and 0 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | Unchecked ERC-721 Callback Result | Software Security | Fixed |
| 2 | Low | Improper Check for the Return Values of the transferFrom Function |
Software Security | Acknowledged |
| 3 | Medium | Incorrect Address Used in the _burn Function |
Software Security | Fixed |
| 4 | Low | Access Out Of Bounds in the getBlockByTime Function |
Software Security | Acknowledged |
| 5 | Low | Unchecked Arrays in the claimRewardMany Function |
Software Security | Fixed |
| 6 | Low | Inconsistent Implementation of the Burn Logic | Software Security | Fixed |
| 7 | Medium | Inconsistent Handling of Epoch Time | DeFi Security | Fixed |
| 8 | Low | Inconsistent End Time in the addEpochBatch Function |
DeFi Security | Fixed |
| 9 | Low | Inconsistent Implementation of the Reward Calculation | DeFi Security | Acknowledged |
| 10 | - | Check Zero Address In the ve.ownerOf Function |
Recommendation | Fixed |
| 11 | - | Implement Secure Logic for the transferAdmin Function |
Recommendation | Fixed |
| 12 | - | Avoid Continuous Divisions in the _pendingRewardSingle Function |
Recommendation | Fixed |
| 13 | - | Alleviate the Concern of Potential Centrality | Recommendation | Acknowledged |
| 14 | - | Follow the Checks-Effects-Interactions Pattern | Recommendation | Fixed |
More details are provided in the audit report.