--- title: CertiK Auditor Note for Gainswap tags : audit-note --- CertiK Auditor Note for Gainswap === <!-- Auditor note should be submitted daily. Use 10 mins per day to finish it and push to the project git repo through the hackmd embeded plugin: https://hackmd.io/c/tutorials/%2Fs%2Flink-with-github --> ###### tags: `Note` `Audit` :::info - **Project:** Gainswap - **Date:** Dec 8, 2030 - **Auditor:** buyun.xu@certik.org, guilong.li@certik.org - **Reference:** N/A ::: :closed_book: Contract deployment address on ethereum --- https://etherscan.io/address/0x756627591715d0f1aa285c80e62675e949ed19f5 https://etherscan.io/address/0xd031d172f3079303cbc4dc58b6c6f74ebc00f9ec :mag: New Findings --- <!-- List all findings you think worthy note in the process of the audit. Not necessarily list here all vulnerabilities found in the project. List --> | Finding Index | Finding Type | Finding Name | Description | Feedback | | ------------- | ------------- | ------------ | ------------- | -------- | | 1 | Bug | Security risk of transferring assets | We recommend to move the governace to Timelock or community after the protocol deployed. | We have deployed a multi-sig wallet with timelock. All sensitive actions will need multi-sig confirmations. | | 2 | Informational | Controversial specifications in whitepaper | Too long ,see details section | Client refuse to reply on this item | :closed_book: Details for Findings -- #### Findings1: #### Description: This protocol has an external dependency. User's digital currencies can be deposited to a third-party service (like YFI) via IyToken contract. The system should only be used if the service is appropriately trusted. IyToken contract is not in the scope of audit. Additionally, the governace privilege should be controlled. `yToken0` and `yToken1` can be easily set by governace. This will change the address where user's digital currencies to be deposited. ```Solidity function setY0(address y) public onlyOwner() { yToken0 = y; emit Y0Updated(y); approve0(); } function setY1(address y) public onlyOwner() { yToken1 = y; emit Y1Updated(y); approve1(); } ``` #### Recommendation: We recommend to transfer the governace privilege to Timelock or community after the protocol deployed. (Gainswap - response) We have deployed a multi-sig wallet with timelock. All sensitive actions will need multi-sig confirmations. The address is: https://etherscan.io/address/0x02c7d121e7f176ef5ddc1459e1ec05468fbc4ff2 (CertiK - response) This **MultiSigWalletWithTimelock** contract is outside the scope of this audit. We recommend liquidity providers to check whether `setFeeTo()` is called and `feeTo` is set to this multi-sig wallet address. #### #### Findings2: #### Description: According to the chapter 2.3 in doc <a href="https://github.com/gainswap/gainswap/blob/main/gainswap.pdf">gainswap.pdf</a>, the fee is 0.30%. `This is effectively the same as letting anyone flash-borrow any of assets stored in a Gainswap pool (for the same 0.30% fee as Uniswap charges for trading).` But in chapter 3.3 in the doc : `The 30-base-point fee fixed on Uniswap can be negotiated and formulated by the community in Gainswap.That can be changed according to user needs when new situations appear.` This is controversial with chapter 2.3.