QuillAudits Secures Aconomy with 37 Bug Fixes: Loan & Fee Risks Mitigated

The audit revealed 37 issues, including significant risks that could impact financial stability, leading to crucial remediation steps.

Aconomy is a decentralized NFT marketplace focusing on illiquid real-world asset classes through the innovative use of PiNFTs

glow
bg

Before QuillAudits

1. Denial of Service Risk in Monthly Installments: The repayment function allowed unbounded amounts to be sent, leading to a potential DoS condition where users could effectively lock loans by sending excessive repayments without adequate checks, as highlighted in the repay() function, which lacked input validation.

2. Lack of Support for Fee-on-Transfer Tokens: The contracts did not properly handle ERC20 tokens with transaction fees, causing balance discrepancies during staking. This issue was evident in the stake() function, which failed to account for the reduced token amount after fees.

3. Unhandled Borrower Defaults: The audit revealed that borrower defaults were not adequately addressed, leading to a risk where borrowers could take new loans despite outstanding debts. This was observed in the loan request logic, which failed to verify existing debts before approving new loans.

4. User-Manipulable Fee Structure: In certain functions, users could influence the fee amount by toggling boolean parameters, creating potential for exploitation to reduce or avoid fees, which impacted the platform's revenue model.

5. NFT Claim Vulnerability: The current implementation allowed any user to claim a borrower's NFT by repaying their debt at any time, creating a risk of opportunistic actors unfairly acquiring NFTs. This was highlighted in the claimNFT() function, which lacked owner verification.

6. Non-Collateralized Loan Risk: The platform allowed users to take non-collateralized loans, which, while providing flexibility, posed risks to lenders due to the lack of security for the loans. This was observed in the loan approval logic that did not require collateral in certain contracts.

After QuillAudits

1. Improved Repayment Checks: Implemented checks to validate repayments against a defined limit relative to the original loan amount, ensuring functional integrity. Updated the repay() function to include require statements to enforce these limits.

2. Enhanced Token Handling Logic: Adjusted the stake() function to retrieve the actual token balance post-fees, ensuring accurate calculations during staking operations. Added checks to account for potential fee deductions, maintaining user trust in the staking process.

3. Borrower Default Checks: Introduced checks to verify outstanding debts before allowing new loan requests, thereby protecting lenders from increased risk exposure. The loan request logic was updated to include these checks, enhancing overall loan security.

4. Secured Fee Structure: Restructured the fee calculation logic to remove user control over fee parameters. Enforced fixed fee rates within the smart contract to ensure consistent revenue generation and prevent manipulation.

5. Owner Verification for NFT Claims: Implemented strict owner verification in the claimNFT() function to ensure only the legitimate borrower could claim their NFT, mitigating risks of unfair acquisitions.

6. Enhanced Loan Approval Protocols: Introduced collateral requirements for certain loan types to mitigate risks associated with non-collateralized loans, thus providing a more secure lending environment. Updated loan approval logic to ensure proper collateral checks.

Aconomy Protocol operates as a decentralized NFT marketplace, utilizing PiNFTs to represent real-world assets on-chain. These PiNFTs combine asset value with underlying ERC20 tokens, unlocking financial benefits for traditionally illiquid assets.

Asset

The Future of Asset Economy

Aconomy envisions a future where all forms of real-world assets can be efficiently traded and monetized on the blockchain, breaking down barriers to entry for investors and democratizing access to various asset classes. By creating a bridge between the digital and physical worlds, Aconomy aims to redefine how we perceive value, ownership, and investment.

Through its innovative use of PiNFTs and a decentralized marketplace, Aconomy is set to unlock a new era of financial opportunities for individuals and institutions alike, ultimately fostering a more inclusive and accessible financial ecosystem.
 

Addressing Aconomy’s Security Vulnerabilities

To enhance Aconomy Protocol's security, critical vulnerabilities were addressed by implementing strict input validations for repayments, improving fee handling, and checking for borrower defaults before loan approvals. The fee structure was secured to prevent manipulation, owner verification was added for NFT claims, and collateral requirements were introduced for non-collateralized loans, reinforcing Aconomy’s commitment to a secure and reliable platform.

2

 

Aconomy’s Journey Through Our Audit Process

Our comprehensive audit was executed through the following steps:

  1. Information Gathering
    • Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
    • Obtained a clear understanding of the Aconomy platform's functionality and intended user interactions.
    • Discussed client concerns and specific areas of focus for the audit.
       
  2. Manual Code Review:
    • Conducted a line-by-line review of the smart contract code, focusing on:
      • Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
      • Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
      • Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.
         
  3. Functional Testing:
    • Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
    • Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
       
  4. Automated Testing:
    • Employed static analysis tools like QuillShield to identify vulnerabilities through automated code scanning.
    • Utilized symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.
    • Integrated unit tests are written by the Aconomy team to verify specific contract functions and their behaviour.
       
  5. Reporting & Remediation:
    • Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
    • Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
    • Collaborated with the Aconomy Protocol team to prioritize and address the identified issues.
    • Conducted additional verification testing after vulnerability fixes were implemented.

 

QuillAudits' Strategic Approach to Aconomy’s Security Audits

Our approach to auditing Aconomy involved a combination of threat modeling, a security-first mindset, and extensive testing. We used both white-box and black-box testing methods to ensure a thorough assessment, maintaining transparency and clear communication with the Aconomy team throughout the process.

 

Comprehensive Audit Discoveries and Remediation Strategies

Our comprehensive audit of these contracts revealed a total of 37 issues, categorised by severity:

  • Medium Severity Issues (7): These issues pose a moderate risk and should be addressed promptly.
     
  • Low Severity Issue (13): This issue has a relatively low impact but still warrants attention.
     
  • Informational Issues (17): These findings provide valuable insights and recommendations for improvement.

Here is a breakdown of some of the critical vulnerabilities in audit discoveries and remediation strategies:

 

Audit Discoveries

1. Denial of Service Risk in Monthly Installments

Discovery: The audit uncovered a potential denial of service scenario in the monthly installment repayment process. Due to inconsistent minimum amount checks between supplying funds and repaying installments, certain loan amounts could become impossible to repay through the monthly installment feature.

Impact: This vulnerability could lock borrowers out of repayment options, leading to unmanageable debt situations and increasing financial risks for both the borrowers and the platform.
 

2. Lack of Support for Fee-on-Transfer Tokens

Discovery: The contracts do not account for ERC20 tokens that deduct fees on transfers. This oversight could lead to discrepancies in stored token amounts versus actual balances, potentially affecting staking and refund processes.

Impact: Users might experience unexpected losses during staking or refunds due to inaccurate balance calculations, undermining trust in the platform's financial integrity.
 

3. Accumulation of Bad Debt

Discovery: The system lacks mechanisms to handle situations where accrued interest makes loan repayment economically unfeasible for borrowers. This could result in the accumulation of bad debt over time, posing risks to the platform's financial health.

Impact: As bad debt increases, it could severely impact the platform’s liquidity and solvency, threatening its long-term viability and user confidence.
 

4. Unhandled Borrower Defaults

Discovery: The audit revealed that borrower defaults are not adequately addressed in the smart contracts. The absence of checks for borrowers with outstanding debts when requesting new loans could lead to increased risk exposure for lenders.

Impact: This oversight could allow borrowers to accumulate additional loans despite existing defaults, increasing the likelihood of defaults and financial losses for lenders.
 

5. User-Manipulable Fee Structure

Discovery: In certain functions, users can influence the fee amount by toggling a boolean parameter. This design could potentially be exploited to reduce or avoid fees, impacting the platform's revenue model.

Impact: Manipulation of fees could lead to significant revenue losses for the platform, undermining its financial sustainability and operational capabilities.
 

6. NFT Claim Vulnerability

Discovery: The current implementation allows any user to claim a borrower's NFT by repaying their debt at any time. This could be exploited by opportunistic actors, potentially leading to unfair NFT acquisitions.

Impact: Such exploitation could harm the platform's reputation and user trust, as legitimate borrowers might lose access to their assets without proper safeguards in place.
 

7. Non-Collateralized Loan Risk

Discovery: The platform allows users to take non-collateralized loans in certain contracts. While this feature enhances accessibility, it introduces significant risk if borrowers default on these unsecured loans.

Impact: Defaulting on non-collateralized loans could lead to financial instability for the platform, as it may not have sufficient recourse to recover lost funds, threatening its overall health and user base

 

Key Findings and Remediation

1. Denial of Service Risk in Monthly Installments

Remediation Strategy: Implemented stringent minimum amount checks in the repayment logic to prevent excessive repayments that could lock borrowers out of repayment options.

This ensures borrowers can only make repayments within manageable limits, preserving the functionality of the monthly installment feature.
 

2. Lack of Support for Fee-on-Transfer Tokens

Remediation Strategy: Modified the token handling logic to accurately account for fees deducted during transfers. This change will ensure that users' stakes are calculated based on real balances, preventing discrepancies.
 

3. Accumulation of Bad Debt

Remediation Strategy: Introduced mechanisms to cap interest accumulation and offer alternative repayment plans for borrowers facing financial difficulties. Implemented a check in the loan logic to assess whether accrued interest exceeds the original loan amount, allowing for adjustments or forgiveness.

This strategy can help prevent borrowers from falling into bad debt traps.
 

4. Unhandled Borrower Defaults

Remediation Strategy: Established checks within the loan request function to verify whether a borrower has outstanding debts before approving new loans.

By enforcing this requirement, the protocol can reduce the risk of lenders being exposed to additional defaults.
 

5. User-Manipulable Fee Structure

Remediation Strategy: Restructured the fee calculation to eliminate user influence on fee parameters. Implemented fixed fee rates within the smart contract, ensuring that all fee-related variables are immutable. For instance:

This adjustment secures the platform’s revenue model against manipulative actions by users.
 

6. NFT Claim Vulnerability

Remediation Strategy: Incorporated strict owner verification checks within the claimNFT() function to ensure that only legitimate borrowers can claim their NFTs.

This change protects against opportunistic claims and secures borrowers' assets.
 

7. Non-Collateralized Loan Risk

Remediation Strategy: Established collateral requirements for certain loan types to mitigate the risks associated with non-collateralized loans. Modified the loan approval logic to check for collateral before processing loans:

By mandating collateral, the protocol can better safeguard against borrower defaults and enhance financial stability.

Impressed by our findings and recommendations, the Aconomy Protocol developers promptly Acknowledged all identified vulnerabilities.

Through our collaborative efforts, the Aconomy Protocol project is now significantly more secure, ensuring the protection of user funds.

The Aconomy Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Aconomy Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.

Subscribe to our Newsletter

Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out. Insider Secrets - Delivered Right to You. Subscribe now.

Telegram