Pyxis Network (PYX) security audit, conducted by the Callisto Network Security Department during March 2021.
Pyxis (PYX) Specificities
Pyxis Network (PYX) Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
The smart contract use open source library from Openzeppelin. Following files was excluded from audit:
Interface contract of Uniswap Router:
In total, 6 issues were reported including:
2 low severity issues.
3 owner privileges.
No critical security issues were found.
2.1. The known vulnerability of the ERC-20 token
Following EIP-20 specifications:
Add the following code to the transfer() function:
require( recipient != address(this) );
2.2. Default Admin Role
Severity: owner privilege.
The contract deployer gets
DEFAULT_ADMIN_ROLE. This means that he can grant any roles to any addresses. It makes the smart contract more centralized and is risky if that private key will be compromised.
When you revoke
SETTER_ROLEin the function
init()it does not guarantee that settings could not be changed in the future because a user with
SETTER_ROLEto any address and change the settings again (may call the function
Do not set up
SETTINGS_MANAGER_ROLE can be assigned only by Default Admin
Severity: owner privileges.
In the contracts
SETTINGS_MANAGER_ROLE can be assigned only by the user with
DEFAULT_ADMIN_ROLE. As was pointed in 3.2. the user has unlimited power which is risky if his private key will be compromised. We suggest to use
DEFAULT_ADMIN_ROLE to assign
bytes32 public constant SETTINGS_MANAGER_ROLE_ADMIN = keccak256('SETTINGS_MANAGER_ROLE_ADMIN');
In the constructor replace:
_setupRole(SETTINGS_MANAGER_ROLE_ADMIN, msg.sender); _setRoleAdmin(SETTINGS_MANAGER_ROLE, SETTINGS_MANAGER_ROLE_ADMIN);
2.4. Users with
SETTINGS_MANAGER_ROLE can change constants.
Severity: owner privileges.
The constants for calculation formulas (like rewards calculation, penalty calculation, etc) can be changed at any time by the user with
SETTINGS_MANAGER_ROLE. This means that the calculations may differ from those indicated in the white paper.
Use hardcoded constants instead of variables.
2.5. EnumerableSet is undeclared – compilation error
import '@openzeppelin/contracts/utils/structs/EnumerableSet.sol' into
2.6. The function getNumDayInWeek() may returns wrong day number
The results of function getNumDayInWeek() depends on value of
SETTINGS.STEP_SECONDS. It will returns correct day number only if
SETTINGS.STEP_SECONDS = 86400.
To remove this dependence better to use hardcoded value:
return (block.timestamp / 1 days) % 7;
The audited smart contract can be deployed. Only low severity issues were found during the audit. Investors have to pay attention to high owner privileges.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!