Mangrove smart contract audit by ChainSecurity

Mangrove dss

vest smart contracts Security Audit

Download Audit Report
Summary

Giry implements a vesting plan for the participants of DAOs. The project is a fork of another well-audited project with a small number of additional features.

The most critical subjects covered in our audit are functional correctness and access control. We find that the project implementation is of a high quality and no severe issues were uncovered.

The general subjects covered are code complexity, use of uncommon language features, unit testing, documentation, specification, and gas efficiency. Security regarding all the aforementioned subjects is high with the exception of unit tests and the documentation which have not been updated to reflect the current state of the project. More specifically, the unit tests do not check for the correctness of the newly introduced features.

In summary, we find that the codebase provides a high level of security, but we strongly suggest to implement the missing unit tests.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.

About Mangrove dss

Mangrove implements an offer book based exchange. Individual offer books exist for each market consisting of a base and a quote asset. Technically an offer book is a sorted doubly linked list of offers. Each offer promises an amount of the so-called base asset and requests a certain amount of the quote asset. Makers create these offers. Takers take these offers by executing a so-called order. During the execution of an order, the amount of the base quote is transferred to the maker first before the maker address is called to execute arbitrary code. During this call, the maker must do all actions necessary and make the amount of the base asset available for the exchange to collect.

Offers are just promises and the execution of an order may fail. When an offer fails e.g., because it failed to make available the amount of tokens to the exchange, the execution of the order is stopped. A penalty mechanism exists to incentivize makers to have working offers. Upon offer creation, the maker has to provide a so-called provision in Ether to cover for the gas costs should the transaction revert. If the offer
succeeds, the provision is returned to the maker. When an offer fails, a part of the provision is given to the taker to compensate for his lost gas costs.

A callback to the maker at the end of an exchange allows the maker to update his offer.

The system is administrated by the governance which can add/remove or pause token pairs or change the parameters of the system.

ChainSecurity has proved its ability to independently understand, thoroughly analyze, and help secure novel and complex smart contracts in a surprisingly short amount of time. We could not ask for a better auditing partner.
Adrien Husson, smart contract lead @ Mangrove