ShibaNova & Security: PeckShield Audit and Commitment to SAFU
Good day, Shibanovians! We’re so excited to announce our final audit has just been completed! For this audit, we employed the illustrious Peckshield (https://peckshield.com) to review our smart contracts. It’s been a long journey for us — and many of you have been with us the entire time, which we’re immensely grateful for! Going through our audits has been an extremely important process for our development, especially for our Dev Team. Peckshield was our third audit, the previous two being CTDSEC and EtherAuthority. We are grateful for all the effort our auditors put into reviewing the code, as we hope to provide the safest possible DeFi experience for all of you.
Now, let’s get into the details! Here is the list of the 8 findings Peckshield reported.
Issue 1: The ShibaLibrary contract had swap fees set at .16%, whereas the ShibaPair contract had them set at .20%. We quickly fixed this issue, but it’s also important to note that this would have had an effect on the amount of fees we collected, but wouldn’t be an exploit that could cause massive loss of funds. This is the importance of multiple eyes reviewing a project, and why any new contracts we deploy will always be reviewed by multiple parties.
Issue 2: Currently, we don’t have the voting system integrated with our governance, but transitioning into a DAO is definitely a plan for the future. Essentially, the issue was that someone could use their sNova to vote, then send their sNova to another wallet and vote again. Now, it’s fixed so that if you vote and send your sNova to another wallet, the votes go with the sNova and can’t be counted multiple times.
Issue 3: This is the first issue we decided not to address at this time. The reasoning is that our presale contract was custom-designed for our BUSD to NOVA sale, which are both ERC20 tokens. If we decide to host a presale with non-ERC20 tokens (which is highly unlikely), we’ll make the recommended changes. [Ahem, launchpad, cough cough LoL]
Issue 4: This issue basically says that the owner of the contracts has some privileges that could negatively affect the user if a malicious person got ahold of the owner’s wallet. To mitigate this risk, control of our contracts will first be owned by a timelock, then the timelock will be owned by a multi-sig wallet, which requires 3 of 5 board members to sign off on every transaction. This means that if one of our wallets gets hacked, the hacked wallet cannot do anything to the contracts. As we’ve mentioned, our end goal is to be completely decentralized and governed by the community, but that will take time, as there are inherent risks in that as well.
Issue 5: This is a more obscure issue where the owner of the MasterShiba could potentially create a pool with rewards set to 0, not tell anyone about it (or add it to the website), deposit some funds into the pool, and let it sit for a couple days. Then, the owner could adjust the rewards from 0 to whatever without updating the pools, and get all the back-logged rewards. Of course for us this is something that is locked behind both a timelock and multi-sig, so it would be much harder for one of us to deceive everyone. However, we want you to be able to trust us, so we edited the code to make sure rewards are always updated when you add or adjust pools.
Issue 6: There was a description inside the code (doesn’t have any effect on the code itself) that we didn’t update to reflect what the code actually does. We updated the description. This is mainly so that people reading the code can get descriptions of what specific functions are doing without having to read everything first.
Issue 7: There was a reference function that was coded in twice, where it only needed to be in there once. We’ve removed the redundant code. Note, there is a similar redundant safety feature in our NovaToken contract that was found by the other auditors. Because it was a redundant safety feature, and we had already deployed the token on the mainnet, we felt safe in leaving it there.
Issue 8: This was a low-risk but important finding. There was possible re-entrancy issues in the MasterShiba, but we made sure to fix these.
Overall, the audit went very well and we are extremely grateful for the care and thoroughness contained in this report. There is a reason why Peckshield is considered one of the best auditors in the entire industry! Most of the issues they found were minor and nothing was found that could be exploited to mint infinite tokens, drain the pools, or other major issues.
This also highlights the need for big, ambitious projects like ShibaNova to get multiple audits on their code. While Peckshield found all the issues we discussed, some of them were only uncovered on our 3rd audit after 2 full audits were already performed! Every auditor is different and we believe that every one of our auditors did their best to evaluate our code as they did. At the end of the day, our willingness to go through 3 different audits only makes us more confident in the safety of our code.
For reference, all 3 of our audits and contracts can be found here:
DeFi 2.0 — Our Commitment to SAFU and moving beyond our Audits
From the start of the project, we told our community that we would go to great lengths to make sure that our code is as SAFU as possible. To this end, we have invested a significant portion of our presale revenues to our audits and security protocols, including:
- 3 Full Audits by Peckshield, EtherAuthority, and CTDSEC.
- KYC performed by AssureDefi:
- Time Lock & Gnosis Multi-sig.
- Exploring a partnership with LossLess — first of it’s kind hack reversal protocol — https://lossless.cash/. ShibaNova will potentially be the 1st project built on the Binance Smart Chain (BSC) to integrate the LossLess technology with our native token. [AMA scheduled with the LossLess team on Monday, 26 July at 14:00 UTC — join us at t.me/ShibaNovaDEX]
We are very excited to announce the next addition to our ever-growing list of partnerships and Security offerings — ImmuneFi — https://immunefi.com/
ImmuneFi is one of the most prominent bug bounty protocols in all of DeFi. They are helping to protect over $25Billion of user funds, which encompases about 1/3 of all investments in this sector! Their partners list in DeFi reads like the “Who’s Who” in the space, including PancakeSwap and SushiSwap.
Effective 27 July, 2021 (pre-launch), we will offer a bug bounty of $20,000 for any Critical severity issues found in our code — and this is just the beginning. As our protocol grows, we will continue to examine the bug bounty to make sure that the prize for uncovering any exploitable code increases as well. This will ensure that white hat hackers will always have ShibaNova on their radar and should they see any vulnerabilities, our Dev Team will have the opportunity to address the issues quickly and eliminate the threat of loss of funds for our shareholders.
Link to our ImmuneFi Bug Bounty: https://immunefi.com/bounty/shibanova/
To our team, the decision to fortify our Security and continue to add to it layer by layer is a no-brainer. Best case scenario, we invested in all of these measures and none of it is necessary because our code is SAFU. But even if there’s a sliver of a chance that something CAN happen, we want to be as well-positioned to mitigate or stop any exploit to the best of our ability. When we talk about DeFi 2.0, it isn’t just a catchy phrase we throw around — it’s a cornerstone of our project. We don’t just aim to be one of the most prominent DEXs or AMMs in all of DeFi — we also aim to be the Safest.