/Reach Protocol

Off-Chain (Private)

Audited on 2024/02/07

No active critical issues

Summary

The smart contract receives funds through the `receive()` and `createMission()` functions and distributes them per round (or version) to a given set of users determined by a Merkle root. Notably the current design is very centralized and the withdrawal logic depends solely on Merkele roots calculated and provided by off-chain roles, but the audit scope is only for the smart contract itself. The audit team managed to find `6` high-medium severity issues within the smart contract. Since the contract is already live but the project is still in the beta phase, we highly recommend addressing the findings as soon as possible. **2023-11-13 Update:** During our fix-review, the dev team changed the status of most of the findings to either fixed or acknowledged. However, a new medium severity issue "`createDistribution()` Does Not Support `_paymentType`" has been found during the review.

Project

Reach Protocol

Ethereum

Issues (15)

	Low	Medium	High	Critical	Total
Not fixed	5	5	1	-	11
Fixed	3	1	-	-	4
Total	8	6	1	0	15

/Reach Protocol

Summary

Issues (15)

Centralized Power / Security Mainly Depends on Off-Chain Component not_fixed/high

`createDistribution()` Does Not Support `_paymentType`not_fixed/medium

Centralized Power / A Malicious Admin Can Deny Claimingnot_fixed/medium

Centralized Power / THe Owner's Power Over the Adminsnot_fixed/medium

Merkle Tree Leaf Format Could Lead to Users Losing Rewardsnot_fixed/medium

Contract (1)