Executive Summary
From Aug 24, 2024, to Aug 26, 2024, the Oracly team engaged Fuzzland to conduct a thorough security audit of their Oracly project. The primary objective was to identify and mitigate potential security vulnerabilities, risks, and coding issues to enhance the project's robustness and reliability. Fuzzland conducted this assessment over 4 person-days, involving 2 engineers who reviewed the code over a span of 2 days. Employing a multifaceted approach that included static analysis, fuzz testing, formal verification, and manual code review, the Fuzzland team identified 1 issues across different severity levels and categories.
Scope
| Project Name |
Oracly |
| Repository Link |
https://github.com/PhoboSys/pm-contracts |
| Commit |
c4fd6df312a51072d6bc82ceec92fcbed3cac7d2 |
| Fix Commit |
bf0858eb17c082606f96e5eb21793ad57ea10484 |
| Language |
Solidity - Polygon |
Methodology
- Static Analysis: We perform static analysis using our proprietary internal tools as well as Slither to identify potential vulnerabilities and coding issues.
- Fuzz Testing: We execute fuzz testing by utilizing our proprietary internal fuzzers to uncover potential bugs and logic flaws.
- Invariant Development: We convert the project into Foundry project and develop Foundry invariant tests for the project based on the code semantics and documentations.
- Invariant Testing: We run multiple fuzz testing tools, including Foundry and ItyFuzz, to identify violations of invariants we developed.
- Formal Verification: We develop individual tests for critical functions and leverage Halmos to prove the functions in question are not vulnerable.
- Manual Code Review: Our engineers manually review code to identify potential vulnerabilities not captured by previous methods.
Engagement Summary
The engagement involved a team of skilled consultants/engineers who were responsible for various phases of the audit process, including onboarding, initial audits, additional audits, and quality assurance. Below is a summary of the engagements with specific dates and details.
| Dates |
Consultants / Engineers Engaged |
Details |
| 8/20/2024 |
Chaofan Shou, Eda Zhang |
Onboarding |
| 8/24/2024 - 8/26/2024 |
Taotao Zhou, Chaofan Shou |
Initial Audit |
| 9/1/2024 - 9/2/2024 |
Taotao Zhou |
Fix Audit #1 |
Vulnerability Severity
We divide severity into four distinct levels: high, medium, low, and info. This classification helps prioritize the issues identified during the audit based on their potential impact and urgency.
- High Severity Issues represent critical vulnerabilities or flaws that pose a significant risk to the system's security, functionality, or performance. These issues can lead to severe consequences such as fund loss, or major service disruptions if not addressed immediately. High severity issues typically require urgent attention and prompt remediation to mitigate potential damage and ensure the system's integrity and reliability.
- Medium Severity Issues are significant but not critical vulnerabilities or flaws that can impact the system's security, functionality, or performance. These issues might not pose an immediate threat but have the potential to cause considerable harm if left unaddressed over time. Addressing medium severity issues is important to maintain the overall health and efficiency of the system, though they do not require the same level of urgency as high severity issues.