SolidProof.io

SolidProof.io Blacksail Finance Audit Report

Link to Official SolidProof.io report: https://app.solidproof.io/projects/blacksail The information below has been transcribed from the Solidproof.io official report above, and additional detailed information of the resolutions have been added.

Blacksail Finance Overview

Website: www.blacksail.finance Description: Blacksail Finance is a smart contract yield compounding suite on the Sonic Blockchain network. It automates compounding of DeFi rewards for crypto tokens, enabling users to maximize returns on their holdings.

Blacksail Contracts GitHub Repository: https://github.com/Blacksail-finance/audits/tree/main/contracts


Security Assessments

  • Vault

  • Language: Solidity

  • Onboard Date: 18/12/2024

Scope of Work

3 Contracts Evaluated;

  • Blacksail_StrategyV3.sol,

  • Blacksail_Vault.sol,

  • Blacksail_Interface.sol

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.

  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.

  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.

  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.

  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.

  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.

  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

Summary:

  • No High or Medium Critical Issues Found

  • Key Contract Properties:

    • No minting by contract owner

    • No blacklisting of addresses

    • Contract owner cannot set high fees

    • Funds cannot be locked by the owner

    • No burn function

    • Ownership not renounced

    • Contract not upgradeable


Ownership Privileges

Blacksail_StrategyV3.sol

  • The owner can update the vault contract address.

  • The owner can enable/disable the harvest on deposit setting in the contract.

  • The owner can withdraw the reward tokens.

  • The owner can pause/un-pause the contract.

  • The owner can update the withdrawal fees to not more than 0.1%.

  • The owner can update the slippage tolerance value to not more than 15%.

Blacksail_Vault.sol

  • The owner can propose a new Strategy implementation in the contract.

  • The owner can upgrade the proposed strategy after the approval delay has passed.


Key Findings and Resolutions

High Issues | 1 Finding

Resolved #1 High Issue – Unsafe Use of tx.origin File: Blacksail_StrategyV3.sol Lines: 150, 192, 212 Description: Using tx.origin in Solidity smart contracts poses a phishing attack risk. An attacker could manipulate transactions by deploying malicious contracts and invoking key functions like harvest() or withdraw(). This vulnerability arises because tx.origin does not distinguish between original users and intermediary contracts. Resolution: The code has been updated to replace tx.origin with msg.sender, ensuring secure authorization checks and reducing exposure to phishing threats.


Medium Issues | 7 Findings

Resolved #1 Medium Issue – Missing 'isContract' Check File: Blacksail_StrategyV3.sol Lines: 141-144 Description: Without verifying if addresses are contracts, EOAs (Externally Owned Accounts) could inadvertently be set for contract-specific parameters. This may lead to execution failures. Resolution: Implemented Solidity’s Address library isContract function to validate contract addresses before assignment.

Resolved #2 Medium Issue – Missing Access Control File: Blacksail_StrategyV3.sol Lines: 155-162 Description: A public function was accessible to all users, raising the risk of unauthorized access. Resolution: Access control checks were implemented, restricting function calls to specific roles (owner/operator).

Resolved #3 Medium Issue – Missing Non-Reentrant Check File: Blacksail_Vault.sol Lines: 131-148 Description: The claim function allowed potential re-entrancy attacks by failing to update internal states before external token transfers. Resolution: A nonReentrant modifier was applied to prevent repeated function calls during execution.

Resolved #4 Medium Issue – Missing Non-Reentrant Check File: Blacksail_StrategyV3.sol Lines: 211-214, 176-201 Description: Similar re-entrancy risks as the vault contract existed in strategy contracts. Resolution: The nonReentrant modifier was added to safeguard external calls.

Resolved #5 Medium Issue – Insufficient Slippage Protection File: Blacksail_StrategyV3.sol Lines: 260-283 Description: The absence of minimum output in swaps exposed the contract to slippage risks. Resolution: Minimum output values were set based on market conditions to reduce slippage vulnerability.

Resolved #6 Medium Issue – Missing Zero Check File: Blacksail_StrategyV3.sol Lines: 233-247 Description: Transfers proceeded without verifying reward or native token balances, risking failed transactions. Resolution: require statements were added to ensure token balances and allowances were validated before execution.

Resolved #7 Medium Issue – Owner Can Withdraw Tokens from Reward Pool File: Blacksail_StrategyV3.sol Lines: 337-340 Description: The panic function allowed unrestricted withdrawal of funds from the 3rd party reward pool, introducing centralization risks. Resolution: The project owner has confirmed the issue as the part of the business logic as a security measure to protect user funds in the case of a 3rd party exploit or contract error. Governance mechanisms and multi-signature controls may be implemented. Time locks now delay critical functions, allowing community review.


Low Issues | 6 Findings

Resolved #1 Low Issue – Floating Pragma Solidity Version File: Blacksail_StrategyV3.sol Line: 3 Description: Floating Solidity versions risk compiling with outdated compilers. Resolution: Solidity version was pinned to a specific, stable release.

Resolved #2 Low Issue – Floating Pragma Solidity Version File: Blacksail_Vault.sol Line: 3 Description: Similar to above, ensuring stable compilation by specifying a Solidity version. Resolution: Solidity version fixed.

Resolved #3 Low Issue – Missing Events Arithmetic File: Blacksail_StrategyV3.sol Lines: 382-386, 329-334 Description: Key parameter changes lacked event emissions, reducing transparency. Resolution: Event emissions were added for critical state changes.

Resolved #4 Low Issue – Missing Visibility File: Blacksail_Vault.sol Line: 21 Description: Visibility modifiers were missing, potentially exposing internal functions. Resolution: Functions were updated with appropriate visibility modifiers.

Resolved #5 Low Issue – Missing Error Handling for External Calls File: Blacksail_StrategyV3.sol Lines: 260-283 Description: External calls lacked error handling, risking transaction failures. Resolution: try-catch blocks were introduced to handle external call errors gracefully.

Resolved #6 Low Issue – Missing Events File: Blacksail_Vault.sol Lines: 89-107 Description: Critical operations lacked event emissions. Resolution: Events were added to track significant contract interactions.


Ownership Privileges

  • Blacksail_StrategyV3.sol:

    • Update vault contract address

    • Enable/disable harvest on deposit

    • Withdraw reward tokens

    • Pause/unpause contract

    • Update withdrawal fees (max 0.1%)

    • Adjust slippage tolerance (max 15%)

  • Blacksail_Vault.sol:

    • Propose new strategy

    • Upgrade strategy post-approval delay


Files

Final Words

This audit analyzed Blacksail's smart contracts for vulnerabilities, providing recommendations for enhanced security. While no high/medium severity issues remain and all discovered issues have been resolved, ongoing diligence and additional audits are advised for new contracts and updates. Users are encouraged to conduct further research prior to interaction.

Last updated