If you notice some outdated information please let us know!
Process Quality Review (0.9)
Quickswap
FAIL
Security Incidents
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here are my smart contract on the blockchain(s)
- Here is the documentation that explains what my smart contracts do
- Here are the tests I ran to verify my smart contracts
- Here are all the security steps I took to safeguard these contracts
- Here is an explanation of the control I have to change these smart contracts
- Here is how these smart contracts get information from outside the blockchain (if applicable)
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Code and Team
83%
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
The smart contract addresses for Quickswap are easily accessible and clearly labelled in the protocol's official documentation. They are found under the section titled "Contracts & Addresses". Therefore, based on the criteria, the score is 100%.
2. Does the protocol have a public software repository? (Y/N)
Location: https://github.com/QuickSwap
3. Is the team public (not anonymous)?
No, Quickswap appears anon.
4. How responsive are the devs when we present our initial report?
Devs responed quickly
Code Documentation
59%
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
No whitepaper was found.
6. Is the protocol's software architecture documented? (%)
The Smart Contracts section acts as a good system architecture description, 75% score, as per guidance
7. Does the software documentation fully cover the deployed contracts' source code? (%)
The Quickswap documentation provides a comprehensive overview of the smart contract source code. It includes code reviews, formal verification of core smart contracts, and details on various aspects of smart contract integration. However, while it covers major functions, it might not cover all minor details of the deployed source code.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
The Quickswap Documentation provides descriptions and guides on how the system operates, including security, fetching data, and interface integration. However, it does not appear to contain direct traceable links from the documentation to the source code on GitHub. There are no explicit code snippets or direct references to the source code in the provided documentation. Therefore, the connection between the documentation and code is not explicit, making it difficult for users to locate the corresponding source code.
9. Is the documentation organized to ensure information availability and clarity? (%)
The documentation is very well organized.
Testing
27%
This section covers the testing process of the protocol’s smart contract code previous to its deployment on the mainnet. The document explaining these questions is here.
10. Has the protocol tested their deployed code? (%)
Test to Code is 639 / 4319 = 15% which gives a score of 40%. Admittedly they are using the Uniswap code (but the fork has tests too). There is no excuse for not including and running the tests. ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── JavaScript 10 4319 669 1586 2064 240 ─────────────────────────────────────────────────────────────────────────────── Total 10 4319 669 1586 2064 240 ─────────────────────────────────────────────────────────────────────────────── Estimated Cost to Develop $57,814 Estimated Schedule Effort 4.655748 months Estimated People Required 1.103232 ─────────────────────────────────────────────────────────────────────────────── Processed 160076 bytes, 0.160 megabytes (SI) ─────────────────────────────────────────────────────────────────────────────── ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── TypeScript 5 630 88 4 538 16 JavaScript 1 9 2 0 7 0 ─────────────────────────────────────────────────────────────────────────────── Total 6 639 90 4 545 16 ─────────────────────────────────────────────────────────────────────────────── Estimated Cost to Develop $14,282 Estimated Schedule Effort 2.736796 months Estimated People Required 0.463644 ─────────────────────────────────────────────────────────────────────────────── Processed 25515 bytes, 0.026 megabytes (SI) ───────────────────────────────────────────────────────────────────────────────
11. How covered is the protocol's code? (%)
As there are virtually no tests, we cannot give any credit for coverage. In addition there is no indication of a coverage report. Score is 30% as per guidance.
12. Is there a detailed report of the protocol's test results?(%)
No test report was found.
13. Has the protocol undergone Formal Verification? (Y/N)
On the Security page there is a mention of formal verification. However, the link to the report is broken and there is no reference available to find the report. Therefore, no credit can be given.
Security
14%
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
On the Security page there is mention of an audit. The link is dead and refers to a Uniswap audit page.
There is just no effort here. I know they are using Uniswap code which is solid and audited. But they need to demonstrate the code is the same and indicate which audits they are taking credit for in order to get the 65%. Based on present data only 20% is given.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
No audits, therefore 0%.
16. Is the bug bounty value acceptably high (%)
On the Security page there is mention of a Quickswap bug bounty program. The link points to the Uniswap bug bounty program. When Uniswap is managing a bug through its bounty program, they will not inform Quickswap so the Uniswap program adds no value. Score 0%.
17. Is there documented protocol monitoring (%)?
No evidence of protocol monitoring was found.
18. Is there documented protocol front-end monitoring (%)?
The documentation from Quickswap does not provide specific mentions of DDOS Protection, DNS steps to protect the domain, Intrusion detection protection on the front end, or Unwanted front-end modification detection. Hence, the score is 0% as none of the security measures required for front-end monitoring are documented. [...]
Admin Controls
67%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
According to QuickSwap's official documentation, QuickSwap is implemented in a system of non-upgradeable smart contracts on the Ethereum blockchain. This means that the protocol's code is immutable and cannot be altered or upgraded after it has been deployed.
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
The QuickSwap protocol's documentationstates that it is implemented in a system of non-upgradeable smart contracts on the Ethereum blockchain. This indicates that the smart contracts are immutable, disallowing post-deployment changes or upgrades. As per the scoring rubric, if all contracts are immutable, they automatically score 100% for this question.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
At a minimum there is a means to set the fee address for allowing fees. But there is not data on how this can be changed. The documentation reviewed does not provide any details regarding admin addresses, roles, and capabilities within the Quickswap protocol. The information primarily focuses on security measures, smart contract integration, and the mechanism for price determination. There is no mention of any admin addresses, roles, or permissions present in the smart contracts. Therefore, it is not possible to evaluate the level of control and potential influence these entities may have on the protocol. For these reasons, a score of 0% is given.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
Based on the available information, it is not clear who the signers of the admin addresses are. The Quickswap documentation does not provide specific information about the signers of the admin addresses. The descriptions of the team members do not include explicit mention of their roles as signers. Score 0%.
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
Based on the provided text, there is no clear or comprehensive transaction signing policy provided in the Quickswap documentation. While there is mention of security audits, formal verification, and meta transactions, none of the elements of a transaction signing policy as defined in the research instructions are present.
Oracles
100%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
24. Are Oracles relevant? (Y/N)
The protocol uses price feed oracles as indicated in the provided documentation. The protocol employs oracles as tools for retrieving price information for assets on-chain. It is also mentioned that developers, while building smart contracts that integrate with DeFi protocols, will inevitably encounter the price oracle problem. In addition, in order to guard against certain attacks, the protocol documentation suggests introducing a price oracle, which can be of two types - off-chain and on-chain, depending on the situation and requirements.
25. Is the protocol's Oracle sufficiently documented? (%)
The protocol's Oracle is comprehensively documented. The documentation details the concept of Oracles, the need for them in smart contracts and DeFi protocols, and potential security risks associated with them. It also outlines how to build a price oracle on Uniswap V2, emphasizing the importance of understanding the requirements for the use case and providing questions to guide that understanding. Additionally, the documentation explains how to protect against attacks using an external price feed or "price oracle". It also mentions the situations in which an on-chain oracle should be used when an off-chain price is not available.
26. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
Flashloan attacks can be applied to the protocol. However, the protocol has implemented measures to mitigate the risks of flashloan attacks. These measures include the usage of a price oracle to ensure the fairness of the swap price, which can protect against manipulation. The cost of manipulating the price for a specific period can be estimated as the amount lost to arbitrage and fees for that period, making the attack impractical for larger liquidity pools and longer periods. In addition, the Quickswap frontend calculates the optimal input/output amounts given observed intra-block prices, ensuring trade safety.