Memeswap.fi is a DEX tailored specifically for the trading & launch of meme tokens. It operates as an alternative AMM platform, particularly focusing on the trend of meme token launches
QuillAudits executed an in-depth audit of Memeswap, identifying and rectifying 19 critical vulnerabilities, significantly bolstering the platform’s security and performance.
Memeswap offers a user-friendly interface for trading meme tokens, allowing users to swap, add, and remove liquidity effortlessly. With its focus on decentralization, Memeswap ensures that all trades occur on-chain, with no middleman or centralized control, providing a fully transparent and secure trading environment.
Memeswap is a cutting-edge DEX that empowers meme token enthusiasts to trade their favorite assets in a decentralized, low-cost environment. By offering a suite of DeFi tools, including token swaps, liquidity provision, and yield farming, Memeswap caters to the growing community of meme coin traders. The platform ensures that users can trade confidently, with minimal fees and maximum security, making it a go-to platform for anyone involved in the meme token space.
QuillAudits conducted a thorough audit of Memeswap, identifying 19 critical issues that posed significant risks to the platform’s users and overall functionality. The audit focused on the core trading and liquidity functions, aiming to ensure the security and reliability of the platform. Key concerns included malicious contract exploit resulting in protocol shutdown, potential slippage issues, incorrect token calculations, potential DOS vulnerability and inadequate access controls. By addressing these vulnerabilities, QuillAudits has helped Memeswap enhance its security and user experience.
Our methodology for MemeSwap Smart Contracts combines threat modeling, a security-first mindset, and comprehensive testing, including both white-box and black-box methods. We emphasize transparency and clear communication with the MemeSwap team, providing actionable insights and detailed recommendations for swift vulnerability resolution, and ensuring a robust security posture.
Our thorough and extensive audit uncovered 2 High Severity vulnerability, 3 Medium-severity issues, 4 Low-severity issues and 10 informational findings.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
Discovery: A critical vulnerability was identified within the trigger modifier in MemeswapVault contract, a component designed to facilitate the dequeuing of items and the distribution of Ether to the next user in the queue. However, this mechanism proved susceptible to exploitation by malicious actors. Specifically, if the recipient of the Ether transfer is a contract designed to revert transactions via its receive or fallback function, the entire operation collapses. This scenario precipitates a Denial of Service (DoS) condition, effectively paralyzing the protocol and entrapping funds within the contract.
Detailed Breakdown of the Issue:
The exploit unfolds through the following sequence:
Consequences: The ramifications of this vulnerability were profound, culminating in a complete cessation of the protocol's activities. Functions reliant on the trigger modifier became inoperable due to the enforced transaction reversions, thereby obstructing users' abilities to stake, enqueue, rent, or claim rewards. This led to an absolute shutdown of the protocol, rendering it non-functional and resulting in funds being irretrievably locked within the contract.
Discovery: A critical Denial of Service (DoS) vulnerability has been identified within the MemeswapVault contract, specifically pertaining to the logic governing the enqueue and dequeue processes. This vulnerability could potentially render the contract inoperative due to arithmetic underflow or overflow conditions, stemming from the interaction between the dequeuePossible function and the enqueue mechanism.
Detailed Breakdown of the Issue:
Consequences:
Discovery: A critical oversight has been identified within the liquidate function of the MemeswapCollector contract. Specifically, the parameters amountAMin and amountBMin, which are intended to safeguard against excessive slippage during liquidity removal, have been set to zero. This configuration effectively removes any protection against slippage, allowing for up to 100% slippage during the removal of liquidity.
Issue Encountered: A critical oversight has been identified within the liquidate function of the MemeswapCollector contract. Specifically, the parameters amountAMin and amountBMin, which are intended to safeguard against excessive slippage during liquidity removal, have been set to zero. This configuration effectively removes any protection against slippage, allowing for up to 100% slippage during the removal of liquidity.
Consequences: By setting amountAMin and amountBMin to zero, the contract fails to enforce minimum amounts for tokens received from liquidity removal. This lack of enforcement could lead to the removal of liquidity at highly unfavorable rates, potentially resulting in substantial financial losses for participants. Moreover, this vulnerability could be exploited maliciously, leading to unexpected behavior or exploitation of the contract's users.
Issue Encountered: In src/MemeswapTokenFactory.sol, an inherent flaw exists within the initialize() function of the MemeswapTokenFactory contract. This function, designed to initialize the contract, lacks a mechanism to prevent repeated initialization. Consequently, the owner of the contract possesses the capability to call initialize() multiple times, thereby altering critical parameters such as the assignment of the vault.
Impact: The absence of a condition within the initialize() function to verify whether the contract has already been initialized introduces a significant centralization risk. This vulnerability empowers the owner to reassign the vault after its initial assignment, potentially leading to abuse of power. Such centralized control contradicts the decentralized ethos of blockchain technology and poses a risk of manipulation or misuse by the contract owner.
Action:
QuillAudits implemented a validation mechanism within the trigger
modifier to ensure that only externally owned accounts (EOAs) or contracts with safe Ether handling methods could receive transfers.
Outcome:
The fix effectively mitigated the risk of a DoS attack, ensuring the stability and reliability of the dequeuing process. The protocol is now protected against malicious contracts that could previously trigger a shutdown.
Action:
QuillAudits addressed the enqueue and dequeue manipulation by refining the logic in the dequeuePossible
function. They introduced strict checks and balances to prevent conditions that could lead to arithmetic underflow or overflow.
Outcome:
The enhancements prevented the contract from becoming locked and ensured that enqueue and dequeue operations could proceed safely. Users’ funds are now protected from being trapped within the contract, and the protocol's reliability has been restored.
Action:
QuillAudits corrected the zero-value parameters by setting appropriate minimum thresholds for amountAMin
and amountBMin
in the liquidate function.
Outcome:
The risk of excessive slippage during liquidity removal was eliminated, safeguarding users from financial losses. The contract now enforces minimum amounts for tokens received, ensuring fair and secure liquidity operations.
Action:
QuillAudits added a condition to the initialize()
function that prevents repeated initialization. This safeguard ensures that the contract can only be initialized once, and the vault assignment remains immutable after the first initialization.
Outcome:
The centralization risk was significantly reduced, aligning the contract with decentralized principles. The contract owner can no longer manipulate critical parameters after the initial setup, preserving the integrity and trustworthiness of the protocol.
Impressed by our findings and recommendations, the MemeSwap developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the MemeSwap project is now significantly more secure, ensuring the protection of user funds.
The MemeSwap’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the MemeSwap Team has taken a significant step towards securing its platform and safeguarding user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!