Arkham Intel Security Smart Contract Audit

Summary

The Arkham Intel Exchange Bounty Contract helps facilitate the creation, submission, and payout of bounties. Users can create bounties by escrowing the desired ARKM token reward amount to the contract. Users can claim a bounty by submitting a hash of their solution along with some ARKM as collateral. An Approver then reviews the provided solution. If the solution is valid, the bounty is paid out. Otherwise, the collateral is added to the bounty reward. If no valid solutions are submitted by the bounty expiration, the bounty is refunded to the initial proposer. A fee is collected on both bounty creation and bounty payouts. The submission hashes point to solutions stored off-chain (on the Arkham platform for this version). The solution review process is also performed off-chain and is outside the scope of this audit. We found issues relating to permissions and faulty accounting during the audit. Excess funds are locked in the Bounty contract (ARK-1) and the full submission collateral is not refunded (ARK-6). It is possible for a user to become an Approver and approve their own bounty submissions (ARK-2) and a user can submit entries to their own bounty to claim accrued submission stakes (ARK-3). Other vulnerabilities are detailed in the full report. The protocol makes trust assumptions to the Arkham team and potential future third-parties. We encourage users to refer to ARK-5 and ARK-14 for a detailed overview. The code is well-documented and has strong test coverage. The Arkham team was in communication and was helpful in answering any questions over the course of the audit.

Project