Executive Summary

From July 24, 2024, to July 26, 2024, the NETZ project engaged Fuzzland to conduct a thorough security audit of their swap project. The primary objective was to identify and mitigate potential security vulnerabilities, risks, and coding issues to enhance the project's robustness and reliability. Fuzzland conducted this assessment over 4 person-days, involving 2 engineers who reviewed the code over a span of 2 days. Employing a multifaceted approach that included static analysis, fuzz testing, and manual code review, Fuzzland team identified 4 issues across different severity levels and categories.

Scope

Vulnerability Severity

We divide severity into four distinct levels: high, medium, low, and info. This classification helps prioritize the issues identified during the audit based on their potential impact and urgency.

• High Severity Issues represent critical vulnerabilities or flaws that pose a significant risk to the system's security, functionality, or performance. These issues can lead to severe consequences such as fund loss, or major service disruptions if not addressed immediately. High severity issues typically require urgent attention and prompt remediation to mitigate potential damage and ensure the system's integrity and reliability.
• Medium Severity Issues are significant but not critical vulnerabilities or flaws that can impact the system's security, functionality, or performance. These issues might not pose an immediate threat but have the potential to cause considerable harm if left unaddressed over time. Addressing medium severity issues is important to maintain the overall health and efficiency of the system, though they do not require the same level of urgency as high severity issues.
• Low Severity Issues are minor vulnerabilities or flaws that have a limited impact on the system's security, functionality, or performance. These issues generally do not pose a significant risk and can be addressed in the regular maintenance cycle. While low severity issues are not critical, resolving them can help improve the system's overall quality and user experience by preventing the accumulation of minor problems over time.
• Informational Severity Issues represent informational findings that do not directly impact the system's security, functionality, or performance. These findings are typically observations or recommendations for potential improvements or optimizations. Addressing info severity issues can enhance the system's robustness and efficiency but is not necessary for the system's immediate operation or security. These issues can be considered for future development or enhancement plans.

Below is a summary of the vulnerabilities with their current status, highlighting the number of issues identified in each severity category and their resolution progress.

Disclaimer

The audit does not ensure that it has identified every security issue in the project, and it should not be seen as a confirmation that there are no more vulnerabilities. While we have conducted an analysis to the best of our ability, it is our recommendation for high-value projects to commission several independent audits, a public bug bounty program, as well as continuous onchain security auditing and monitoring. Additionally, this report should not be interpreted as personal financial advice or recommendations.

Findings

[High] Incorrect Investor Address Used in Profit Calculation

In the updateInvestorProfits function, there is a critical error where the wrong address is used to calculate the investor's eligible investment amount. The function uses _msgSender() instead of the investor parameter passed to the function.

function updateInvestorProfits(address investor, uint256 liquidityCounter) internal {
    uint256 eligibleInvestmentAmount = getInvestmentAmount(_msgSender());
    uint256 feeShare = (eligibleInvestmentAmount * totalFeesCollectedUSDT) / liquidityCounter;
    totalFeesCollectedUSDT -= feeShare;

    investors[investor].feeProfits.push(FeeProfit(feeShare, block.number));
}