Skip to main content

Project & Development Update #5.75

February 14, 2022

Good afternoon pilots, and happy Valentine's Day! 💖

Because of the nature of the holiday, we have to keep this update short in order to avoid getting murdered in our sleep by our SOs. However, we would still like to summarize the results of the preliminary audit report today, and follow it up with a full internal update tomorrow where the team will be fully available to explain, discuss, and answer any and all questions related.

Let's dive in. 👇

🔹 Preliminary Audit Report

On Friday, we received our preliminary audit report from Solidity Finance. We were extremely pleased with the results, and nearly all of our contracts came up clean! The report had two main findings: one informational, and one related to security.

The informational flaw was in the Ship sale contract and would cause excess ETH not to be refunded if a minter sent the incorrect amount. To fix this issue, we simply adjusted the fixed-price sale contract to require that the value included for mints is exactly correct according to price and token amount.

The security flaw was much more severe and would allow a malicious pilot to claim excess voting power by repeatedly staking and unstaking. More technically, ERC20Votes's _moveVotingPower was not behaving appropriately on mints and burns for users that had their votes delegated to the zero address. Luckily, the issue was caused by an slight oversight rather than a logical misconception, and the fix was extremely simple. To apply the fix, we adjusted the delegation system so that votes are always delegated to a non-zero address: each pilot's votes are delegated to them by default, and they may re-delegate to any address other than 0x0.

We believe that our preliminary report is a great testament to the necessity of contract audits. Despite our best efforts, we made a couple of silly mistakes that could have seriously affected the project. However, by putting security in the hands of experts, we were able to discover these issues before launch and apply extremely simple fixes. We're incredibly grateful to Solidity Finance for catching what we couldn't and offering us the advice that let us fix these issues so easily.

TL;DR Solidity Finance caught a severe security issue that we hadn't noticed, then suggested an extremely simple fix. We applied the fix, and we're now moving into the final audit round on schedule. The full audit report + breakdown and overall internal project update will be posted Wednesday, Feb 16th due to the team being off for the holidays.

Copyright © 2023, The Citadel.
DiscordTwitterWebsite