The main objective was verification of the security of smart contracts and identification of threats occurring at the edge of integration with web2 components.

Basic information

Project type: Funding model for researchers.

Service: Smart contract security review.

Results: Our service helped detect and prevent kill-chain with a critical impact on Research Portfolio security and improved the overall security of their DApp.

About the Research Portfolio

Cinjon Resnick (Founder of Research Portfolio) contacted us through the recommendation of one of our friends at the beginning of August.

Research Portfolio builds tools for researchers to mint and trade tokens representing their research output. A two-person team works on the creation of a funding model where not only scientific work is rewarded, but also people's contribution to its creation.

Files in scope

The launch was scheduled for September alongside the Amaranth Prize. Until then, Cinjon wanted to make sure their contracts were secure and would allow users to use the solution safely.

Visit website: https://www.researchportfolio.co/

About the service scope

The subjects of the test were selected contracts from the Research Portfolio repository.

GitHub repository: https://github.com/researchportfolio/researchportfolio

CommitID: ed40cada20b7e07519be4606e8b33dccf05124ae

Files in scope

Identified threats

As before every smart contract audit, thorough threat modeling is performed. The results are made available to the client for joint analysis.

Files in scope

The following attacker goals were identified as the most important:

  • Theft of philanthropist funds.
  • Lock researcher funds in the contract.
  • Theft of other researcher funds.
  • Unfair distribution of funds.
  • Block the contract, so that others cannot use it.
  • Impersonating other researchers.

A few examples of threat scenarios that allow for risking or compromising the security of identified key assets:

  • Impersonating research paper author.
  • Verification of only selected research papers.
  • Incorrect linking of the research paper with the researcher.
  • Influence or bypass the business logic of the system.
  • Take advantage of arithmetic errors.
  • Minting more research tokens than promised for distribution.
  • Privilege escalation through incorrect access control to functions or badly written modifiers.
  • Existence of known vulnerabilities (e.g., front-running, re-entrancy).
  • Design issues.
  • Excessive power, too much in relation to the declared one.
  • Poor security against taking over the managing account.
  • Private key compromise, rug-pull.
  • Withdrawal of more funds than expected.
  • Modifying or executing submitted transactions.

More can be found in the report.

Smart contract audit results

22 identified threats turned out to be present in the project. The smart contract audit performed allowed for the detection of vulnerabilities related to business logic and architecture design.

Files in scope

Thanks to the work of the Research Portfolio team, 18 issues were removed. Additionally, a critical vulnerability that was found outside the scope of the service has been removed.

Client rating

Files in scope

Want to increase the security of your project?

Let's engage in a conversation. Share details about your current security strategies and measures. This will enable us to provide professional advice on potential enhancements and additional actions that could be beneficial for your security framework.

  • Ready to increase your security? Say HI to us!

Composable Security 🇵🇱⛓️ is a small team with a holistic approach that goes beyond the code. A combination of expertize in Solidity smart contract security and experience gained through 6+ years securing global fintechs and Polish banks help comprehensively take care of DApp security. Learn more about us.

Creators of the Smart Contract Security Verification Standard and the first Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts.

Paweł Kuryłowicz

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

About the author

Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.

View all posts (16)