Scope: New Cover Policy Activation
Authors: Jas Singh, Sujith Sizon, Vithuran K.
Summary:
Web: https://vox.finance
Twitter: https://twitter.com/RealVoxFinance
Telegram: Telegram: Contact @VoxFinance
A successful audit has been completed for VOX Finance. The activation for the VOX insurance policy will commence shortly after passing the proposal. The UnoWatchDog program gives the opportunity for protocols to get a smart contract audit and get protocol wide coverage for all of its active users at no additional charge for either the protocol or the users. This means users will no longer be required to individually purchase, renew, and file claims for insurance.
Audit
Vox Finance contract have gone through an extensive audit by our security team and partners. We will continue to audit new additions to code for the remainder of the insurance policy term (12 months). Should the insurance policy be extended, continued audits will also extend.
A total of 1024 lines of code were audited among the contracts listed below:
- VoxLiquidityFarm.sol
- VoxStakingPool.sol
- VoxSwapManager.sol
- VoxToken.sol
- VoxTokenAirdrop.sol
- VoxVestingWallet.sol
These contracts were audit from the repo under this commit hash: Initial commit · voxfinance/vox2.0-protocol@9c94722 · GitHub
Please see the attached images below on the results of the audit.
For reference, the full audit report can be found on the following IPFS link here: https://beige-safe-chipmunk-848.mypinata.cloud/ipfs/QmQ3XuAdgRz41JDMrYDWNMjAwRKNwJTAK861dsXZX5op3A
Service Fees for UnoRe DAO services are as follows:
Date: 2023-03-21
Description:
-
Audit cost split among auditors: 10,000 USDC
-
Active Monitoring fees: 2,000 USDC
-
WatchDog Fees including premium: 10,000 USD in VOX tokens*
-
Bounty Fee: 2,000 USD in VOX tokens*
*VOX tokens at the rate on 21st of March 2023
A special thank you to our Independent Auditors chrisdior4, ddimitrov22 and Dev77.
Active Monitoring:
As per the UnoWatchDog program, UnoRe will be actively monitoring all of Vox finance contracts to prevent hacks before they occur. After thorough back testing of our threat mitigation systems, this approach has proven to block a high number of recent hacks; and in some cases recover stolen assets.
UnoRe’s threat prevention systems will be actively monitoring the following:
- Tracking of key functionalities within covered contracts
a. Voxtoken.sol - https://arbiscan.io/token/0xa0eebb0e5c3859a1c5412c2380c074f2f6725e2e#code
b. VoxLiquidityFarm - https://arbiscan.io/token/0x87195340478b792cfb0986450c39b64846867716#code
c. VoxStakingPool - https://arbiscan.io/token/0x0B21cfbe22b5730f050c2787379a8263FCCd276b#code
d. VoxSwapManager - https://arbiscan.io/token/0xe84713bE6d41475429bA65A6092973595b7b286A#code
e. VoxTokenAirdrop - https://arbiscan.io/token/0x3279C1D0a34D60B84BCcba55EE08d220032958aF#code
f. VoxVestingWallet - https://arbiscan.io/token/0x6aa60fAA7e3A9c6B8468634546AB684F1bb5160f#code
- Tracking of VOX token transfer txns which are above 5,000 VOX2 tokens. (Helps monitor sandwich attacks)
- Tracking and monitoring of owner/admin wallets - Setup via Arkham Intel and Aegis
- Uniswap v2 fork hack monitoring - GitHub - Uno-Re/unore-audit-whitelist-integrations: Protocols audited and whitelisted by unore
- Withdrawals above 1,000 VOX tokens from Vault contracts
- MEV searcher scripts for detecting malicious transactions and front-running - Setup via Arkham Intel and Aegis
Even though Vox has passed a thorough audit review, it can still be prone to attacks that have never been documented before. Monitoring the contracts is an additional step we take to help prevent hacks in edge case scenarios where the hacker is still able to steal assets.
Insurance Policy
Total Coverage Amount: $100k USD
Individual Claim Limit: $ 5000
Individual Deductible : $100
Chain: Arbitrum
Claims: SSIP pool Assets (USDC, USDT, UNO, ETH)
In the rare event an UnoWatchDog client is hacked and funds are non-recoverable, UnoRe will cover losses for each user up to the total coverage amount and up to the set individual claim limit, less the individual deductible shown above. The insurance policy follows the same exclusions and conditions in our original smart contract cover wording found in our Gitbook here. In addition to the exclusions listed on Gitbook, any loss due to centralization risks of the VOX protocol will not be covered as stated in the audit report. This is due to the high degree of centralization risks within the protocol. Any losses due to sandwhich attacks will also not be included in the cover policy. Unlike the insurance policies listed in our cover portal, users will not be required to take any further action to be covered. Users will automatically be covered if a loss were to occurred, and will not be required to file a claim to be processed.
Zero Day Reporting
Uno Re protocol in collaboration with VOX Finance protocol will be running an active Zero
day reporting and bug bounty program where security researchers and whitehats who find
Critical and High issues with the protocol. Zero Day is a monitoring program initiated once the audit phase is over. The researchers submit zero-day and other exploits, ensuring a continuous vulnerability assessment process.
Scope and rewards
The program’s scope remains the same as the audit. We would then categorize the
vulnerability into critical, high, and medium. These reports would be based on exploits that
could lead to
- Direct Fund loss
- Permanent freezing of user’s stakes
- Theft of unclaimed rewards
- Preventing users from claiming due rewards
- Miner-extractable value and more
Disclaimer: Uno Re and the Vox Finance protocol team would decide the payout for these
vulnerabilities. The amount for the payout would be proportional to the severity and nature of
the exploit.
How to report a 0day Vulnerability:
Whitehats can privately report 0day vulnerabilities by creating a ticket in the private Discord channel specifically for whitehats. Please get in touch with admins in the UnoRe Discord server to join the whitehat private channel.
After creating the ticket, whitehats can submit a report explaining the following:
- severity of the issue
- impact of the issue
- description of the issue
- possible fix for the issue
Conclusion and next steps: The internal audit of Vox Finance was successful, and our active monitoring systems are live. The insurance policy will also go live by the end of the week, and will not expire until the end of May 2024. The renewal of the policy at the end of its term is subject to approval by the UnoRe DAO at a future date. After this proposal passes, Vox Finance will be added to our list of UnoWatchDog clients.
Disclaimer: The Watch Dog program does not have any influence on any projects token price. A Watch Dog client does not mean we endorse the projects token or coin. UnoRe does not give out financial advice and can neither confirm or deny whether the token in question is a good investment.