Security Audit Report for Noah-DAO


Noah DAO is a decentralized exchange built on the EOS EVM. It introduces a mechanism to incentivize liquidity provision and active governance participation by rewarding users with protocol tokens and voting rights, thereby aligning interests within the ecosystem.

After depositing the corresponding LP tokens into the gauge, liquidity providers are rewarded with protocol tokens. By locking these protocol tokens, users gain voting rights and eligibility for esToken unlocking quotas. Those holding voting rights can then participate in voting to earn rewards from swap fees and bribe incentives.

Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.

In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Noah DAO development team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.


In total, we find 21 potential issues in the smart contract. We also have 7 recommendations and 6 notes, as follows:

High Risk: 7
Medium Risk: 11
Low Risk: 3
Recommendation: 7
Note: 6
ID Severity Description Category Status
1 High Index out of Bounds for the Empty Array Software Security Fixed
2 Medium Improper Use of the Keyword Memory Software Security Fixed
3 Low Incorrect Index in getPriorSupplyIndex Software Security Fixed
4 Medium Potential Loop from Self-Calling Software Security Fixed
5 Low Incorrect Validation of Withdrawal Rate Software Security Fixed
6 High Miscalculated Bribe Rewards (I) DeFi Security Fixed
7 High Miscalculated Bribe Rewards (II) DeFi Security Fixed
8 Medium Timely invocation of update_period() before setReleaseFactor() and setPledgeFactor() DeFi Security Acknowledged
9 Medium Timely invocation of distribute() in notifyRewardAmount() DeFi Security Confirmed
10 Medium Reward for Killed Gauge Being Locked DeFi Security Confirmed
11 Medium Lack of Checks for Gauges that Do Not Support Voting DeFi Security Confirmed
12 Medium Reward Token can be Managed by Users with Different Privileges DeFi Security Fixed
13 Medium Timely invocation of claimfees() in Gauge DeFi Security Acknowledged
14 High Failed to Notify Rewards due to the Reentrancy Lock DeFi Security Fixed
15 High Swap Fee Rewards cannotDistribution Mechanism does not Work DeFi Security Fixed
16 High Manipulated Unlocking Duration DeFi Security Fixed
17 Medium Risk of Voting Power Manipulation when is_unlock is True DeFi Security Acknowledged
18 Medium Lack of Check of Function withdrawToken DeFi Security Fixed
19 Low Inconsistent Status Update during Voting Process DeFi Security Fixed
20 Medium Miscalculated poolWeight with Duplicated Pool Voting DeFi Security Fixed
21 High Incorrect Reward Calculations from Inappropriate Check DeFi Security Fixed
22 - Lack of Zero Address Check Recommendation Confirmed
23 - Redundant Functions Recommendation Fixed
24 - Redundant Invocation of Function _updateFor Recommendation Fixed
25 - Meaningless Usage of max Recommendation Fixed
26 - Inappropriate Variable Naming Recommendation Confirmed
27 - Lack of Check for releaseFactor and pledgeFactor Recommendation Confirmed
28 - Redundant Check in Function mint_marketing Recommendation Fixed
29 - Potential Centralization Problem Note Confirmed
30 - Timely deployment contracts Note Confirmed
31 - Non-Linear Unlocking in Multiple Claims Note Confirmed
32 - Token Release for Team and VC without Time Restrictions Note Confirmed
33 - Potential Inequity Function poke() of the Contract Voter Note Confirmed
34 - Incompatible Tokens Note Confirmed

More details are provided in the audit report.

Take the first step towards a secure future

Reach out now for BlockSec's expert code audit services, elevate the security of your protocol before it goes live!