UnoWatchDog Cohort 1, Activation 1: Vox Finance

Scope: New Cover Policy Activation
Authors: Jas Singh, Sujith Sizon, Vithuran K.

Summary:

Web: https://vox.finance

Twitter: x.com

Telegram: Telegram: Contact @VoxFinance

A successful audit has been completed for VOX Finance. The activation for the VOX insurance policy will commence shortly after passing the proposal. The UnoWatchDog program gives the opportunity for protocols to get a smart contract audit and get protocol wide coverage for all of its active users at no additional charge for either the protocol or the users. This means users will no longer be required to individually purchase, renew, and file claims for insurance.

Audit

Vox Finance contract have gone through an extensive audit by our security team and partners. We will continue to audit new additions to code for the remainder of the insurance policy term (12 months). Should the insurance policy be extended, continued audits will also extend.

A total of 1024 lines of code were audited among the contracts listed below:

  1. VoxLiquidityFarm.sol
  2. VoxStakingPool.sol
  3. VoxSwapManager.sol
  4. VoxToken.sol
  5. VoxTokenAirdrop.sol
  6. VoxVestingWallet.sol

These contracts were audit from the repo under this commit hash: Initial commit · voxfinance/vox2.0-protocol@9c94722 · GitHub

Please see the attached images below on the results of the audit.

For reference, the full audit report can be found on the following IPFS link here: https://beige-safe-chipmunk-848.mypinata.cloud/ipfs/QmQ3XuAdgRz41JDMrYDWNMjAwRKNwJTAK861dsXZX5op3A

Service Fees for UnoRe DAO services are as follows:

Date: 2023-03-21

Description:

  1. Audit cost split among auditors: 10,000 USDC

  2. Active Monitoring fees: 2,000 USDC

  3. WatchDog Fees including premium: 10,000 USD in VOX tokens*

  4. Bounty Fee: 2,000 USD in VOX tokens*

*VOX tokens at the rate on 21st of March 2023

A special thank you to our Independent Auditors chrisdior4, ddimitrov22 and Dev77.

Active Monitoring:

As per the UnoWatchDog program, UnoRe will be actively monitoring all of Vox finance contracts to prevent hacks before they occur. After thorough back testing of our threat mitigation systems, this approach has proven to block a high number of recent hacks; and in some cases recover stolen assets.

UnoRe’s threat prevention systems will be actively monitoring the following:

  1. Tracking of key functionalities within covered contracts

a. Voxtoken.sol - https://arbiscan.io/token/0xa0eebb0e5c3859a1c5412c2380c074f2f6725e2e#code

b. VoxLiquidityFarm - https://arbiscan.io/token/0x87195340478b792cfb0986450c39b64846867716#code

c. VoxStakingPool - https://arbiscan.io/token/0x0B21cfbe22b5730f050c2787379a8263FCCd276b#code

d. VoxSwapManager - https://arbiscan.io/token/0xe84713bE6d41475429bA65A6092973595b7b286A#code

e. VoxTokenAirdrop - https://arbiscan.io/token/0x3279C1D0a34D60B84BCcba55EE08d220032958aF#code

f. VoxVestingWallet - https://arbiscan.io/token/0x6aa60fAA7e3A9c6B8468634546AB684F1bb5160f#code

  1. Tracking of VOX token transfer txns which are above 5,000 VOX2 tokens. (Helps monitor sandwich attacks)
  2. Tracking and monitoring of owner/admin wallets - Setup via Arkham Intel and Aegis
  3. Uniswap v2 fork hack monitoring - GitHub - Uno-Re/unore-audit-whitelist-integrations: Protocols audited and whitelisted by unore
  4. Withdrawals above 1,000 VOX tokens from Vault contracts
  5. MEV searcher scripts for detecting malicious transactions and front-running - Setup via Arkham Intel and Aegis

Even though Vox has passed a thorough audit review, it can still be prone to attacks that have never been documented before. Monitoring the contracts is an additional step we take to help prevent hacks in edge case scenarios where the hacker is still able to steal assets.

Insurance Policy

Total Coverage Amount: $100k USD
Individual Claim Limit: $ 5000
Individual Deductible : $100
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)

In the rare event an UnoWatchDog client is hacked and funds are non-recoverable, UnoRe will cover losses for each user up to the total coverage amount and up to the set individual claim limit, less the individual deductible shown above. The insurance policy follows the same exclusions and conditions in our original smart contract cover wording found in our Gitbook here. In addition to the exclusions listed on Gitbook, any loss due to centralization risks of the VOX protocol will not be covered as stated in the audit report. This is due to the high degree of centralization risks within the protocol. Any losses due to sandwhich attacks will also not be included in the cover policy. Unlike the insurance policies listed in our cover portal, users will not be required to take any further action to be covered. Users will automatically be covered if a loss were to occurred, and will not be required to file a claim to be processed.

Zero Day Reporting

Uno Re protocol in collaboration with VOX Finance protocol will be running an active Zero
day reporting and bug bounty program where security researchers and whitehats who find
Critical and High issues with the protocol. Zero Day is a monitoring program initiated once the audit phase is over. The researchers submit zero-day and other exploits, ensuring a continuous vulnerability assessment process.

Scope and rewards
The program’s scope remains the same as the audit. We would then categorize the
vulnerability into critical, high, and medium. These reports would be based on exploits that
could lead to

  • Direct Fund loss
  • Permanent freezing of user’s stakes
  • Theft of unclaimed rewards
  • Preventing users from claiming due rewards
  • Miner-extractable value and more

Disclaimer: Uno Re and the Vox Finance protocol team would decide the payout for these
vulnerabilities. The amount for the payout would be proportional to the severity and nature of
the exploit.

How to report a 0day Vulnerability:

Whitehats can privately report 0day vulnerabilities by creating a ticket in the private Discord channel specifically for whitehats. Please get in touch with admins in the UnoRe Discord server to join the whitehat private channel.

After creating the ticket, whitehats can submit a report explaining the following:

  1. severity of the issue
  2. impact of the issue
  3. description of the issue
  4. possible fix for the issue

Conclusion and next steps: The internal audit of Vox Finance was successful, and our active monitoring systems are live. The insurance policy will also go live by the end of the week, and will not expire until the end of May 2024. The renewal of the policy at the end of its term is subject to approval by the UnoRe DAO at a future date. After this proposal passes, Vox Finance will be added to our list of UnoWatchDog clients.

Disclaimer: The Watch Dog program does not have any influence on any projects token price. A Watch Dog client does not mean we endorse the projects token or coin. UnoRe does not give out financial advice and can neither confirm or deny whether the token in question is a good investment.

6 Likes

The proposal has gone for listing vote here Snapshot

1 Like

Governance Bribes Distribution Update

Governance bribes are distributed to the participants. Here is the list of qualified contributors. Enjoy your rewards!

0xd56904075f943C121ceB8bD3FD0b006bED878E7f
0x60ca7446Aa8d6aC01545772D8643494439512A6D
0x7AE85B25b2Db88B3fC2000fA5326efD7abc4E1C0
0xc9931A6112dDB6a7ED4d6F7C15361e4B1d36E302
0xd7BB739060a742dD147168abA4f1B7C304759617
0xEb54b04b7329a8F1f32e6bA1E2419732bcB14647
0x3Ece63Fb6caEf370b6544AA6ca619e8cBE5007C7
0xD0797211902638dad874432Ac221CFeCD9446F7F
0xcE771F0f6e187aE28f86e66817475588aaE568ec
0x158978091DF36Cc658C31E365d0860425a81B7B7
0xc7e318811aAc4e3975BF49d6A7C6FBC82D2305a7
0xbABBE459A3DF532aDc193fd6cb2B3F327dB9FC99
0x805ec14309d962E00cFB754F40b146573C394fA3
0x3D6C9F63F7E73EB7a06C7D8cfC8Add3Df8ED56Fe
0xa75e5E7F3d094b592C4e4522D2A7Df0248E4DD26
0x15D6aAAfaD6255BaE4Cc6805617A03a7D8c5e991
0xE07eCA830b06002B41cCbC4195ba0611217C205c

Transaction Links:

arbiscan.io/tx/0x6961a04cc26d16be14e6499d64806bbeaec5276502145f6f8838a501ebad8f8f
arbiscan.io/tx/0xf194b8693d043d9c043783b15270558d6335bd9a1964c27165826a0243b5d2c0
3 Likes

How can we see this?

ETH should have been already airdropped to your wallet. As for VOX tokens you can see them by importing the below token address in your metamask / wallet 0xa0eeBB0E5C3859a1c5412C2380c074f2f6725e2E

3 Likes

Yeahh I receive the Vox tokens!! Really this is amazing!!

2 Likes