The audit revealed 37 issues, including significant risks that could impact financial stability, leading to crucial remediation steps.
Aconomy is a decentralized NFT marketplace focusing on illiquid real-world asset classes through the innovative use of PiNFTs
1. Denial of Service Risk in Monthly Installments: The repayment function allowed unbounded amounts to be sent, leading to a potential DoS condition where users could effectively lock loans by sending excessive repayments without adequate checks, as highlighted in the repay() function, which lacked input validation.
2. Lack of Support for Fee-on-Transfer Tokens: The contracts did not properly handle ERC20 tokens with transaction fees, causing balance discrepancies during staking. This issue was evident in the stake() function, which failed to account for the reduced token amount after fees.
3. Unhandled Borrower Defaults: The audit revealed that borrower defaults were not adequately addressed, leading to a risk where borrowers could take new loans despite outstanding debts. This was observed in the loan request logic, which failed to verify existing debts before approving new loans.
4. User-Manipulable Fee Structure: In certain functions, users could influence the fee amount by toggling boolean parameters, creating potential for exploitation to reduce or avoid fees, which impacted the platform's revenue model.
5. NFT Claim Vulnerability: The current implementation allowed any user to claim a borrower's NFT by repaying their debt at any time, creating a risk of opportunistic actors unfairly acquiring NFTs. This was highlighted in the claimNFT() function, which lacked owner verification.
6. Non-Collateralized Loan Risk: The platform allowed users to take non-collateralized loans, which, while providing flexibility, posed risks to lenders due to the lack of security for the loans. This was observed in the loan approval logic that did not require collateral in certain contracts.
1. Improved Repayment Checks: Implemented checks to validate repayments against a defined limit relative to the original loan amount, ensuring functional integrity. Updated the repay() function to include require statements to enforce these limits.
2. Enhanced Token Handling Logic: Adjusted the stake() function to retrieve the actual token balance post-fees, ensuring accurate calculations during staking operations. Added checks to account for potential fee deductions, maintaining user trust in the staking process.
3. Borrower Default Checks: Introduced checks to verify outstanding debts before allowing new loan requests, thereby protecting lenders from increased risk exposure. The loan request logic was updated to include these checks, enhancing overall loan security.
4. Secured Fee Structure: Restructured the fee calculation logic to remove user control over fee parameters. Enforced fixed fee rates within the smart contract to ensure consistent revenue generation and prevent manipulation.
5. Owner Verification for NFT Claims: Implemented strict owner verification in the claimNFT() function to ensure only the legitimate borrower could claim their NFT, mitigating risks of unfair acquisitions.
6. Enhanced Loan Approval Protocols: Introduced collateral requirements for certain loan types to mitigate risks associated with non-collateralized loans, thus providing a more secure lending environment. Updated loan approval logic to ensure proper collateral checks.
Aconomy Protocol operates as a decentralized NFT marketplace, utilizing PiNFTs to represent real-world assets on-chain. These PiNFTs combine asset value with underlying ERC20 tokens, unlocking financial benefits for traditionally illiquid assets.
Aconomy envisions a future where all forms of real-world assets can be efficiently traded and monetized on the blockchain, breaking down barriers to entry for investors and democratizing access to various asset classes. By creating a bridge between the digital and physical worlds, Aconomy aims to redefine how we perceive value, ownership, and investment.
Through its innovative use of PiNFTs and a decentralized marketplace, Aconomy is set to unlock a new era of financial opportunities for individuals and institutions alike, ultimately fostering a more inclusive and accessible financial ecosystem.
To enhance Aconomy Protocol's security, critical vulnerabilities were addressed by implementing strict input validations for repayments, improving fee handling, and checking for borrower defaults before loan approvals. The fee structure was secured to prevent manipulation, owner verification was added for NFT claims, and collateral requirements were introduced for non-collateralized loans, reinforcing Aconomy’s commitment to a secure and reliable platform.
Our comprehensive audit was executed through the following steps:
Our approach to auditing Aconomy involved a combination of threat modeling, a security-first mindset, and extensive testing. We used both white-box and black-box testing methods to ensure a thorough assessment, maintaining transparency and clear communication with the Aconomy team throughout the process.
Our comprehensive audit of these contracts revealed a total of 37 issues, categorised by severity:
Here is a breakdown of some of the critical vulnerabilities in audit discoveries and remediation strategies:
1. Denial of Service Risk in Monthly Installments
Discovery: The audit uncovered a potential denial of service scenario in the monthly installment repayment process. Due to inconsistent minimum amount checks between supplying funds and repaying installments, certain loan amounts could become impossible to repay through the monthly installment feature.
Impact: This vulnerability could lock borrowers out of repayment options, leading to unmanageable debt situations and increasing financial risks for both the borrowers and the platform.
2. Lack of Support for Fee-on-Transfer Tokens
Discovery: The contracts do not account for ERC20 tokens that deduct fees on transfers. This oversight could lead to discrepancies in stored token amounts versus actual balances, potentially affecting staking and refund processes.
Impact: Users might experience unexpected losses during staking or refunds due to inaccurate balance calculations, undermining trust in the platform's financial integrity.
3. Accumulation of Bad Debt
Discovery: The system lacks mechanisms to handle situations where accrued interest makes loan repayment economically unfeasible for borrowers. This could result in the accumulation of bad debt over time, posing risks to the platform's financial health.
Impact: As bad debt increases, it could severely impact the platform’s liquidity and solvency, threatening its long-term viability and user confidence.
4. Unhandled Borrower Defaults
Discovery: The audit revealed that borrower defaults are not adequately addressed in the smart contracts. The absence of checks for borrowers with outstanding debts when requesting new loans could lead to increased risk exposure for lenders.
Impact: This oversight could allow borrowers to accumulate additional loans despite existing defaults, increasing the likelihood of defaults and financial losses for lenders.
5. User-Manipulable Fee Structure
Discovery: In certain functions, users can influence the fee amount by toggling a boolean parameter. This design could potentially be exploited to reduce or avoid fees, impacting the platform's revenue model.
Impact: Manipulation of fees could lead to significant revenue losses for the platform, undermining its financial sustainability and operational capabilities.
6. NFT Claim Vulnerability
Discovery: The current implementation allows any user to claim a borrower's NFT by repaying their debt at any time. This could be exploited by opportunistic actors, potentially leading to unfair NFT acquisitions.
Impact: Such exploitation could harm the platform's reputation and user trust, as legitimate borrowers might lose access to their assets without proper safeguards in place.
7. Non-Collateralized Loan Risk
Discovery: The platform allows users to take non-collateralized loans in certain contracts. While this feature enhances accessibility, it introduces significant risk if borrowers default on these unsecured loans.
Impact: Defaulting on non-collateralized loans could lead to financial instability for the platform, as it may not have sufficient recourse to recover lost funds, threatening its overall health and user base
1. Denial of Service Risk in Monthly Installments
Remediation Strategy: Implemented stringent minimum amount checks in the repayment logic to prevent excessive repayments that could lock borrowers out of repayment options.
This ensures borrowers can only make repayments within manageable limits, preserving the functionality of the monthly installment feature.
2. Lack of Support for Fee-on-Transfer Tokens
Remediation Strategy: Modified the token handling logic to accurately account for fees deducted during transfers. This change will ensure that users' stakes are calculated based on real balances, preventing discrepancies.
3. Accumulation of Bad Debt
Remediation Strategy: Introduced mechanisms to cap interest accumulation and offer alternative repayment plans for borrowers facing financial difficulties. Implemented a check in the loan logic to assess whether accrued interest exceeds the original loan amount, allowing for adjustments or forgiveness.
This strategy can help prevent borrowers from falling into bad debt traps.
4. Unhandled Borrower Defaults
Remediation Strategy: Established checks within the loan request function to verify whether a borrower has outstanding debts before approving new loans.
By enforcing this requirement, the protocol can reduce the risk of lenders being exposed to additional defaults.
5. User-Manipulable Fee Structure
Remediation Strategy: Restructured the fee calculation to eliminate user influence on fee parameters. Implemented fixed fee rates within the smart contract, ensuring that all fee-related variables are immutable. For instance:
This adjustment secures the platform’s revenue model against manipulative actions by users.
6. NFT Claim Vulnerability
Remediation Strategy: Incorporated strict owner verification checks within the claimNFT()
function to ensure that only legitimate borrowers can claim their NFTs.
This change protects against opportunistic claims and secures borrowers' assets.
7. Non-Collateralized Loan Risk
Remediation Strategy: Established collateral requirements for certain loan types to mitigate the risks associated with non-collateralized loans. Modified the loan approval logic to check for collateral before processing loans:
By mandating collateral, the protocol can better safeguard against borrower defaults and enhance financial stability.
Impressed by our findings and recommendations, the Aconomy Protocol developers promptly Acknowledged all identified vulnerabilities.
Through our collaborative efforts, the Aconomy Protocol project is now significantly more secure, ensuring the protection of user funds.
The Aconomy Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Aconomy Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.
Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out.
Insider Secrets - Delivered Right to You. Subscribe now.