Prepared by Fuzzland

Overview

This document details our collaborative engineering effort with XOX Labs regarding their staking contracts. In this system, participants stake to earn rewards.

Targets

Disclaimer

The audit does not ensure that it has identified every security issue in the smart contracts, and it should not be seen as a confirmation that there are no more vulnerabilities. While we have conducted an analysis to the best of our ability, it is our recommendation for high-value contracts to commission several independent audits, a public bug bounty program, as well as continuous onchain security auditing and monitoring through Fuzzland Blaz+ Analysis and Alert. Additionally, this report should not be interpreted as personal financial advice or recommendations.

Auditing Process

• Static Analysis: We perform static analysis using our proprietary internal tools as well as Slither to identify potential vulnerabilities and coding issues.
• Fuzz Testing: We execute fuzz testing by utilizing our proprietary internal fuzzers to uncover potential bugs and logic flaws.
• Invariant Development: We convert the project into Foundry project and develop Foundry invariant tests for the project based on the code semantics and documentations.
• Invariant Testing: We run multiple fuzz testing tools, including Foundry and ItyFuzz, to identify violations of invariants we developed.
• Formal Verification: We develop individual tests for critical functions and leverage Halmos to prove the functions in question are not vulnerable.
• Manual Code Review: Our engineers manually review code to identify potential vulnerabilities not captured by previous methods.

Assumptions

• The contract is properly initalized.
  • pair provided has token0 as XOX token and token1 as any other tokens.
  • priceFeed is correctly set to the Chainlink or equivalent price feed of the token.
• Owner is a multisig requiring at least 51% signatures to send transactions.