If you notice some outdated information please let us know!
Process Quality Review (0.8)
UniFi
FAIL
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the audit looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here is my smart contract on the blockchain
- You can see it matches a software repository used to develop the code
- Here is the documentation that explains what my smart contract does
- Here are the tests I ran to verify my smart contract
- Here are the audit(s) performed to review my code by third party experts
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Smart Contracts & Team
76%
This section looks at the code deployed on the relevant chain that gets reviewed and its corresponding software repository. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
They can be found at https://github.com/unifiprotocol/utrade-contracts/blob/main/BTT/Contracts.md, as indicated in the Appendix. This took some researching to locate.
2. How active is the primary contract? (%)
Contract UniFiFactory is used over 20 times a day, as indicated in the Appendix. Despite the considerable utility and power of the BTT block explorer, we were unable to get day-specific contract interactions. We reached this figure by dividing total contract interactions (2357) by number of days active (105).
3. Does the protocol have a public software repository? (Y/N)
UniFi uses GitHub.
4. Is there a development history visible? (%)
At 19 commits, there is not a strong development history. We are pleased to report that this is in line with his excellency Justin Sun's preferences and indeed requirements.
5. Is the team public (not anonymous)?
Multiple team members could be identified as contributing to UniFi.
Documentation
89%
This section looks at the software documentation. The document explaining these questions is here.
6. Is there a whitepaper? (Y/N)
Location: https://docs.unifiprotocol.com/
7. Is the protocol's software architecture documented? (Y/N)
This protocol's software architecture is documented in large parts. A diagram explaining how the contracts function would further user comprehension of this protocol.
8. Does the software documentation fully cover the deployed contracts' source code? (%)
There is significant coverage of deployed contracts by software function documentation. Some contracts nevertheless remain uncovered by software function documentation.
9. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
There is perfect traceability between software documentation and implemented code, though this is not for all contracts.
Testing
10%
10. Has the protocol tested their deployed code? (%)
No testing was documented in UniFi's repository. This makes His Excellency most content, given his previous commitment to ensuring that POLONIEX is widely known as YOLONIEX.
11. How covered is the protocol's code? (%)
There is no proof of testing in UniFi's , let alone testing for code coverage. His Excellency once more is deeply satisfied by this development.
12. Does the protocol provide scripts and instructions to run their tests? (Y/N)
No scripts were provided by UniFi for testing.
13. Is there a detailed report of the protocol's test results?(%)
There is no test report provided by UniFi about the tests run on contract code. Mr Sun His Excellency of Grenada is over the moon at this prospect.
14. Has the protocol undergone Formal Verification? (Y/N)
Unifi has surprisingly not undergone formal verification.
15. Were the smart contracts deployed to a testnet? (Y/N)
UniFi has documented been deployed to Ropsten testnet.
Security
78%
This section looks at the 3rd party software audits done. It is explained in this document.
16. Is the protocol sufficiently audited? (%)
UniFi was audited once by SlowMist. This audit was pre-deployment.
17. Is the bounty value acceptably high (%)
UniFi does not offer a bug bounty at this time.
Admin Controls
0%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
18. Is the protocol's admin control information easy to find?
Admin control information was not documented. There is no information relating to controls in UniFi's documentation or repo. Given these custom contracts, this should be explained.
19. Are relevant contracts clearly labelled as upgradeable or immutable? (%)
UniFi's relevant contracts are not identified as immutable or upgradeable.
20. Is the type of smart contract ownership clearly indicated? (%)
Ownership is not clearly indicated in any UniFi documentation.
21. Are the protocol's smart contract change capabilities described? (%)
UniFi's smart contract change capabilities are not identified for any contracts.
22. Is the protocol's admin control information easy to understand? (%)
The information is completely absent.
23. Is there sufficient Pause Control documentation? (%)
UniFi's pause control is not documented or explained.
24. Is there sufficient Timelock documentation? (%)
UniFi has no timelock documentation.
25. Is the Timelock of an adequate length? (Y/N)
UniFi has no timelock documentation, making identification of length impossible.
Oracles
25%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
26. Is the protocol's Oracle sufficiently documented? (%)
UniFi's oracle source is documented at this location. The contracts dependent are not identified. There is some relevant software function documentation.
27. Is front running mitigated by this protocol? (Y/N)
UniFi documents no front running mitigation techniques.
28. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
UniFi documents no flashloan countermeasures.
Appendices
1pragma solidity =0.5.16;
2
3import './UnifiPair.sol';
4
5contract UnifiFactory is IUnifiFactory {
6 bytes32 public constant INIT_CODE_PAIR_HASH = keccak256(abi.encodePacked(type(UnifiPair).creationCode));
7
8 address public feeTo;
9 address public feeToSetter;
10
11 address public feeController;
12 address public feeControllerSetter;
13 address public wbnb;
14 address public router;
15 mapping(address => mapping(address => address)) public getPair;
16 address[] public allPairs;
17
18 event PairCreated(address indexed token0, address indexed token1, address pair, uint);
19
20 constructor(address _ufc ,address _wbnb ) public {
21 feeToSetter = msg.sender;
22 feeControllerSetter = msg.sender;
23 feeController = _ufc;//change this in future
24 wbnb = _wbnb;
25
26 }
27
28 function allPairsLength() external view returns (uint) {
29 return allPairs.length;
30 }
31
32 function createPair(address tokenA, address tokenB) external returns (address pair) {
33 require(tokenA != tokenB, 'Unifi: IDENTICAL_ADDRESSES');
34 (address token0, address token1) = tokenA < tokenB ? (tokenA, tokenB) : (tokenB, tokenA);
35 require(token0 != address(0), 'Unifi: ZERO_ADDRESS');
36 require(getPair[token0][token1] == address(0), 'Unifi: PAIR_EXISTS'); // single check is sufficient
37 bytes memory bytecode = type(UnifiPair).creationCode;
38 bytes32 salt = keccak256(abi.encodePacked(token0, token1));
39 assembly {
40 pair := create2(0, add(bytecode, 32), mload(bytecode), salt)
41 }
42
43 IUnifiPair(pair).initialize(token0, token1,wbnb);
44 getPair[token0][token1] = pair;
45 getPair[token1][token0] = pair; // populate mapping in the reverse direction
46 allPairs.push(pair);
47 emit PairCreated(token0, token1, pair, allPairs.length);
48 }
49
50 function setFeeTo(address _feeTo) external {
51 require(msg.sender == feeToSetter, 'Unifi: FORBIDDEN');
52 feeTo = _feeTo;
53 }
54
55 function setFeeToSetter(address _feeToSetter) external {
56 require(msg.sender == feeToSetter, 'Unifi: FORBIDDEN');
57 feeToSetter = _feeToSetter;
58 }
59
60 function setFeeControler(address _feeController) external {
61 require(msg.sender == feeControllerSetter, 'Unifi: FORBIDDEN');
62 feeController = _feeController;
63 }
64
65 function setFeeControlerSetter(address _feeControllerSetter) external {
66 require(msg.sender == feeControllerSetter, 'Unifi: FORBIDDEN');
67 feeControllerSetter = _feeControllerSetter;
68 }
69
70 function setRouter(address _routerAddress) external {
71 require(msg.sender == feeControllerSetter, 'Unifi: FORBIDDEN');
72 router = _routerAddress;
73 }
74
75}