Authereum
Summary
The scope of the audit was limited to the contracts located in two folders: `account` and `upgradeability`. The code is overall well-written and documented. Quantstamp identified 9 issues: three low-severity, four informational, and two undetermined. No findings of medium or high severity were made. The low-severity issues include missing input validation, transaction front-running, and a potential issue in the `createProxy` logic (which was addressed in `1d2bde8 `). The two findings: block timestamp manipulation and non-standard way of proxy implementation - were marked as undetermined due to lack of data to be able to assess the impact. **Update**: the team has resolved the issues `QSP-2` and `QSP-5`, as well as made improvements to the documentation. For the remaining findings, the team provided an explanation, and they were marked as "Acknowledged". **Update 2**: On February 17, the Authereum team received a [disclosure report] (https://medium.com/authereum/account-vulnerability-disclosure-ec9e288c6a24) of a vulnerability that was not identified in the audit. The Authereum team quickly triaged the issue, deployed the patched version of the contract, and ensured that users retained ownership of their accounts. No funds were lost. The issue was fixed in the commit [fdff18c](https://github.com/authereum/contracts/commit/fdff18cb7296da54b5a829d8372b1a57840e04ce). We acknowledge [samczsun](https://twitter.com/samczsun) for the disclosure report.
Issues (9)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 9 | - | - | - | 9 |
Fixed | - | - | - | - | 0 |
| Total | 9 | 0 | 0 | 0 | 9 |