Impact Market Community System Security Audit

We were tasked with performing a security audit on the autonomous community management by Keyko featuring asset management, a merkle claim system and almost every contract deployed behind a proxy pattern.

The community implementation in particular is an upgrade to their V1 implementation and a backwards compatible code upgrade has been performed on the community administrator contract as well.

Over the course of the audit, we identified a significant degree of centralization in the whole system that renders all assets existing in the contracts at the full discretion of the owners of the contracts which can be deemed an undesirable trait in some of them if not all.

Additionally, we noted some potential misconceptions about the backwards compatibility portion as well as misutilizations of inherited upgrade-able and not contracts that should be properly used as they can have unexpected consequences in their current usage, such as the assignment of a role being permanent due to the removal of it being impossible.

Overall, the codebase quality is relatively high and contains thoroughly documented code throughout. We advise the Keyko team to apply remediations to all the findings we have identified to bring the level of quality as well as security of the codebase another step further.

During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 32 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style