SolidProof.io
Last updated
Last updated
Link to Official SolidProof.io report: https://app.solidproof.io/projects/blacksail The information below has been transcribed from the Solidproof.io official report above, and additional detailed information of the resolutions have been added.
Website: www.blacksail.finance Description: Blacksail Finance is a smart contract yield compounding suite on the Sonic Blockchain network. It automates compounding of DeFi rewards for crypto tokens, enabling users to maximize returns on their holdings.
Blacksail Contracts GitHub Repository: https://github.com/Blacksail-finance/audits/tree/main/contracts
Vault
Language: Solidity
Onboard Date: 18/12/2024
3 Contracts Evaluated;
Blacksail_StrategyV3.sol,
Blacksail_Vault.sol,
Blacksail_Interface.sol
The auditing process consists of the following systematic steps:
Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
No High or Medium Critical Issues Found
Key Contract Properties:
No minting by contract owner
No blacklisting of addresses
Contract owner cannot set high fees
Funds cannot be locked by the owner
No burn function
Ownership not renounced
Contract not upgradeable
Blacksail_StrategyV3.sol
The owner can update the vault contract address.
The owner can enable/disable the harvest on deposit setting in the contract.
The owner can withdraw the reward tokens.
The owner can pause/un-pause the contract.
The owner can update the withdrawal fees to not more than 0.1%.
The owner can update the slippage tolerance value to not more than 15%.
Blacksail_Vault.sol
The owner can propose a new Strategy implementation in the contract.
The owner can upgrade the proposed strategy after the approval delay has passed.
Resolved #1 High Issue – Unsafe Use of tx.origin File: Blacksail_StrategyV3.sol Lines: 150, 192, 212 Description: Using tx.origin in Solidity smart contracts poses a phishing attack risk. An attacker could manipulate transactions by deploying malicious contracts and invoking key functions like harvest() or withdraw(). This vulnerability arises because tx.origin does not distinguish between original users and intermediary contracts. Resolution: The code has been updated to replace tx.origin with msg.sender, ensuring secure authorization checks and reducing exposure to phishing threats.
Resolved #1 Medium Issue – Missing 'isContract' Check File: Blacksail_StrategyV3.sol Lines: 141-144 Description: Without verifying if addresses are contracts, EOAs (Externally Owned Accounts) could inadvertently be set for contract-specific parameters. This may lead to execution failures. Resolution: Implemented Solidity’s Address library isContract function to validate contract addresses before assignment.
Resolved #2 Medium Issue – Missing Access Control File: Blacksail_StrategyV3.sol Lines: 155-162 Description: A public function was accessible to all users, raising the risk of unauthorized access. Resolution: Access control checks were implemented, restricting function calls to specific roles (owner/operator).
Resolved #3 Medium Issue – Missing Non-Reentrant Check File: Blacksail_Vault.sol Lines: 131-148 Description: The claim function allowed potential re-entrancy attacks by failing to update internal states before external token transfers. Resolution: A nonReentrant modifier was applied to prevent repeated function calls during execution.
Resolved #4 Medium Issue – Missing Non-Reentrant Check File: Blacksail_StrategyV3.sol Lines: 211-214, 176-201 Description: Similar re-entrancy risks as the vault contract existed in strategy contracts. Resolution: The nonReentrant modifier was added to safeguard external calls.
Resolved #5 Medium Issue – Insufficient Slippage Protection File: Blacksail_StrategyV3.sol Lines: 260-283 Description: The absence of minimum output in swaps exposed the contract to slippage risks. Resolution: Minimum output values were set based on market conditions to reduce slippage vulnerability.
Resolved #6 Medium Issue – Missing Zero Check File: Blacksail_StrategyV3.sol Lines: 233-247 Description: Transfers proceeded without verifying reward or native token balances, risking failed transactions. Resolution: require statements were added to ensure token balances and allowances were validated before execution.
Resolved #7 Medium Issue – Owner Can Withdraw Tokens from Reward Pool File: Blacksail_StrategyV3.sol Lines: 337-340 Description: The panic function allowed unrestricted withdrawal of funds from the 3rd party reward pool, introducing centralization risks. Resolution: The project owner has confirmed the issue as the part of the business logic as a security measure to protect user funds in the case of a 3rd party exploit or contract error. Governance mechanisms and multi-signature controls may be implemented. Time locks now delay critical functions, allowing community review.
Resolved #1 Low Issue – Floating Pragma Solidity Version File: Blacksail_StrategyV3.sol Line: 3 Description: Floating Solidity versions risk compiling with outdated compilers. Resolution: Solidity version was pinned to a specific, stable release.
Resolved #2 Low Issue – Floating Pragma Solidity Version File: Blacksail_Vault.sol Line: 3 Description: Similar to above, ensuring stable compilation by specifying a Solidity version. Resolution: Solidity version fixed.
Resolved #3 Low Issue – Missing Events Arithmetic File: Blacksail_StrategyV3.sol Lines: 382-386, 329-334 Description: Key parameter changes lacked event emissions, reducing transparency. Resolution: Event emissions were added for critical state changes.
Resolved #4 Low Issue – Missing Visibility File: Blacksail_Vault.sol Line: 21 Description: Visibility modifiers were missing, potentially exposing internal functions. Resolution: Functions were updated with appropriate visibility modifiers.
Resolved #5 Low Issue – Missing Error Handling for External Calls File: Blacksail_StrategyV3.sol Lines: 260-283 Description: External calls lacked error handling, risking transaction failures. Resolution: try-catch blocks were introduced to handle external call errors gracefully.
Resolved #6 Low Issue – Missing Events File: Blacksail_Vault.sol Lines: 89-107 Description: Critical operations lacked event emissions. Resolution: Events were added to track significant contract interactions.
Blacksail_StrategyV3.sol:
Update vault contract address
Enable/disable harvest on deposit
Withdraw reward tokens
Pause/unpause contract
Update withdrawal fees (max 0.1%)
Adjust slippage tolerance (max 15%)
Blacksail_Vault.sol:
Propose new strategy
Upgrade strategy post-approval delay
Blacksail Contracts Github Repository: https://github.com/Blacksail-finance/audits/tree/main/contracts
This audit analyzed Blacksail's smart contracts for vulnerabilities, providing recommendations for enhanced security. While no high/medium severity issues remain and all discovered issues have been resolved, ongoing diligence and additional audits are advised for new contracts and updates. Users are encouraged to conduct further research prior to interaction.