Audit Company
Solidity Finance
Solidity Finance is a smart contract auditor, with 1500+ audited projects under its belt. The project audits tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and other projects based on EVM chains. The main focus of the auditor is Solidity language.
DSA presents a unique series of reports on the smart contract and blockchain app auditor market. This report is published for the first time and is not affiliated with any specific vendor. The DSA expert team has performed an in-depth analysis of the blockchain security providers in the market. For that, a methodology was developed, and specific criteria were selected. The data provided in the report are actual for January 2023.
Contents
The main criteria for auditor review
1
Trustworthiness
At this point, we analyze the team, key players, as well as the experience of the company in the field.
2
Media Presence
In this paragraph, we analyze the social networks of the project, the engagement rate, and media publications.
3
Speed and service
In this paragraph, we analyze the speed of the audit as well as the speed of the team's response to the request.
4
Expertise
At this point, we analyze the company's experience with different networks, technological advancements, as well as additional services.
5
Price
In this paragraph, we analyze prices and additional services (We send the same sample contract to every auditor), sales, promo offers, bonuses, discounts, and legal transparency.
6
Quality
In this paragraph, we analyze audit quality, report analysis, and user experience.
Categories and sub-categories
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. The same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
- Team members' separate experiences in the field
- Current team’s experience in the field
- Company experience (years of service, date of the first audit)
Media Presence
- Social media (engagement rate, further – ER)
- Media publications
Speed
- Audit speed
- First response speed (from a real person)
- Follow-up response speed
Expertise
- What blockchains does the company audit (rare chains and language get an additional point)
- Technological advancements (developments, tools, automated tools)
- Services (KYC, Incident research, marketing)
Price
- Prices and additional services (We send the same sample contract to every auditor)
- Sales, promo offers, bonuses, discounts
- Legal transparency
Quality
- Audit quality, report analysis
- User experience
Detailed analysis
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. Same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
Average score 7,16/10
1
Team members' separate experiences in the field
The leadership team is represented by three members:
Matthew C. Pilsbury - Founder & CEO
Ares Vlahos - Co-Founder & CTO
Dan Johnson - Co-Founder & COO
Each team member has 5+ years of experience in large companies such as Freddie Mac, PSAV, etc.
Matthew C. Pilsbury - Founder & CEO
Ares Vlahos - Co-Founder & CTO
Dan Johnson - Co-Founder & COO
Each team member has 5+ years of experience in large companies such as Freddie Mac, PSAV, etc.
2
Current team’s experience in the field
We have found no proof of members’ experience in smart contract auditing per se, however, some members have worked at Amazon Web Services (AWS).
3
Company experience (years of service, date of the first audit)
According to the company’s LinkedIn page, the project was launched in 2020. According to the list of audited projects on the website, the first audit was released on March 10th, 2021. Still, the disclaimer on the same page states that the list contains only some reports (24). At the same time, the number of audited projects exceeds 1300+ (1500+ according to LinkedIn). It can be assumed that the first audit could’ve been performed around the time the company was founded. The company’s Twitter account supports the claim regarding the number of audits. Announcements and links to the finished reports are published regularly.
Media presence
Average score 4,33/10
1
Social Media
Twitter has a good engagement rating, offering regular posts with quality content (information about past audits with description, new partnerships, news of attacks on various projects, articles on the matter).
Telegram channel doesn’t have a large number of subscribers, neither the engagement rate nor viewing rate would be applicable since the react feature and views are turned off. Unlike Twitter, the Telegram channel offers only announcements and news of audits with a short description of the project.
LinkedIn has a large number of subscribers, compared to similar companies. However, there are no posts there, so it’s impossible to calculate the ER.
Telegram channel doesn’t have a large number of subscribers, neither the engagement rate nor viewing rate would be applicable since the react feature and views are turned off. Unlike Twitter, the Telegram channel offers only announcements and news of audits with a short description of the project.
LinkedIn has a large number of subscribers, compared to similar companies. However, there are no posts there, so it’s impossible to calculate the ER.
2
Media publications
The company was often mentioned in media in 2020-2021. The list of media includes cryptonews, nasdaq, dexplain, coinfomania, etc. Most of the publications were dedicated to tokens or projects that the company was auditing at the time, so mentions were short. We did not locate any publications dedicated solely to the company: no interviews, researches, or articles.
All data is actual at the time of compiling the report in January, 2023.
Twitter - 21.000 subscribers, ER 0.268%
Approximately the account receives:
43.4 likes per tweet
1.8 replies per tweet
19.8 retweets per tweet
Telegram channel - 750 subscribers
LinkedIn - 6.800 subscribers
LinkedIn doesn’t have any posts, so it’s impossible to provide the accurate ER
Twitter - 21.000 subscribers, ER 0.268%
Approximately the account receives:
43.4 likes per tweet
1.8 replies per tweet
19.8 retweets per tweet
Telegram channel - 750 subscribers
LinkedIn - 6.800 subscribers
LinkedIn doesn’t have any posts, so it’s impossible to provide the accurate ER
Speed
Average score 9/10
1
Audit Speed
An audit takes approximately 1 week.
2
First response speed
We contacted the manager via chat and received a response within a minute.
3
Follow-up response speed
After providing the information on the project, the manager responded within 2 hours with a prepared invoice.
Expertise
Average score 3,27/10
1
What blockchains does the company audit
The company does not audit non-EVM networks. According to the manager, they focus on Solidity to achieve a high level of efficiency. The other reason is that the project’s auditors prefer to stay in touch with the latest Solidity trends and updates. That, however, means that Solana and Near users can’t use the company’s services.
2
Technological advancements
There was no information discovered on the matter.
3
Services
Along with auditing services, the company offers the following:
Flash Loans & Arbitrage Threat Mitigation
Formal Verification
Applied Economic Modeling
Low-Level Programming & Assembly
Yield Farming Strategies
EIP/ERC Standards & NFTs
Flash Loans & Arbitrage Threat Mitigation
Formal Verification
Applied Economic Modeling
Low-Level Programming & Assembly
Yield Farming Strategies
EIP/ERC Standards & NFTs
Prices and additional services
Average score 5,8/10
1
Audit prices, affordability
The price for the test project is $6.8k. This is an average price on the market, which is affordable for the majority of projects.
2
Sales, promo offers, bonuses, discounts
After an audit is finalized, the company makes an announcement on its Twitter and Telegram accounts. They also create a separate page on their website, dedicated to the detailed report.
No discounts were offered.
No discounts were offered.
3
Legal transparency
The company provides a legal agreement. Payments can be carried out via a bank transfer, an invoice, fiat currency, etc. on demand.
Quality
Average score 7,6/10
1
Audit quality, report analysis
- Issue description (thoroughness, code examples): YES
- Project description and contracts (what do they do): YES
- Conclusions (automatically generated vs written by specialists): NO
- Recommendations: YES
- Manual audits (a large number of automatically generated audits is a disadvantage): YES
2
User Experience
Users can request the price for their audit via the contact form on the website or through the manager via Telegram. The latter option is a convenient choice that doesn’t call for filling out any forms. It’s especially useful for those who only wish to ask some questions.
The form on the website is also handy without unnecessary fields. There are no usability barriers for potential clients.
The form on the website is also handy without unnecessary fields. There are no usability barriers for potential clients.
Additional Information
Post-audit hacks and attacks
All information is gathered from an open source. Consider that because the company is well-known and audits large, notable projects, the possibility of a hack is increased compared to smaller projects. We are reviewing only the attacks that resulted in the loss of over $100k.
The amount of the lost funds - $54,200,000
The amount of the lost funds - $54,200,000
After the attack, the project’s initial announcement referred to it as “advanced”, however reentrancy vulnerabilities are nothing new.
The price of $GRIM fell 80% after the attack.
Charge DeFi lost 1849 $CHARGE to the same attack vector just hours before…
Was this a serial attacker?
The attack exploited a depositFor() function that hadn’t been protected against reentrancy.
This allowed the hacker to loop additional false deposits within the initial call, vastly increasing their share of the vault.
The Grim Finance team has an ongoing investigation tracking the movement of funds across the attacker’s accounts, and have found links to various CEXs.
Source
The price of $GRIM fell 80% after the attack.
Charge DeFi lost 1849 $CHARGE to the same attack vector just hours before…
Was this a serial attacker?
The attack exploited a depositFor() function that hadn’t been protected against reentrancy.
This allowed the hacker to loop additional false deposits within the initial call, vastly increasing their share of the vault.
The Grim Finance team has an ongoing investigation tracking the movement of funds across the attacker’s accounts, and have found links to various CEXs.
Source
The attacker used flash loans to manipulate the price of the ELEPHANT token during the minting process of the project’s stablecoin TRUNK.
Example tx:
0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
Firstly, the attacker took flash loans of 131k WBNB and 91M BUSD, the 131,162.00 WBNB was swapped to 34.244e21 ELEPHANT.
TRUNK can be minted by depositing BUSD. During this process, the vulnerable contract first swaps BUSD to WBNB and then uses the WBNB to buy ELEPHANT, raising the price of ELEPHANT. By minting, the attacker both receives TRUNK and increases the value of the ELEPHANT from the previous step.
The attacker then swapped the ELEPHANT, originally acquired for 131k WBNB, to 164k WBNB. Additionally, the attacker redeemed the TRUNK for 37k WBNB and 67M BUSD, making for a total of ~200k WBNB and ~67M BUSD. After returning the flash loans (of 131k WBNB and 91M BUSD), this resulted in a profit of ~$4M
Source
Example tx:
0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
Firstly, the attacker took flash loans of 131k WBNB and 91M BUSD, the 131,162.00 WBNB was swapped to 34.244e21 ELEPHANT.
TRUNK can be minted by depositing BUSD. During this process, the vulnerable contract first swaps BUSD to WBNB and then uses the WBNB to buy ELEPHANT, raising the price of ELEPHANT. By minting, the attacker both receives TRUNK and increases the value of the ELEPHANT from the previous step.
The attacker then swapped the ELEPHANT, originally acquired for 131k WBNB, to 164k WBNB. Additionally, the attacker redeemed the TRUNK for 37k WBNB and 67M BUSD, making for a total of ~200k WBNB and ~67M BUSD. After returning the flash loans (of 131k WBNB and 91M BUSD), this resulted in a profit of ~$4M
Source
The Revest team were informed of the “exploit at 2:24 UTC from the BLOCKS DAO development team”.
In addition to BLOCKS DAO, substantial losses were also suffered by EcoFi and RENA Finance.
By halting transfers of RVST tokens, the team thwarted the attacker’s attempt (70 secs later) to drain the RVST-ETH pool on Uniswap, avoiding a further $1.15M in losses.
The attacker’s dump of the stolen tokens had a large impact on the price of BLOCKS (initially down >95%, currently down ~80%) and ECO (down ~98%), however the RENA tokens remain untouched in the attackers address.
The root-cause of the attack was due to a reentrancy vulnerability in the ERC1155 minting contract (example tx: RENA)
The function mintAddressLock, used to create new Smart Vaults, contains two critical parameters: quantities and depositAmount.
Revest Vault invokes the mint function of FNFTHandler, to mint quantities of ERC1155(s) with the next fnftId to the recipient(s) which can later be burned in order to claim the position’s proportion of locked tokens. fnftId increments by 1 each time the function is executed.
Source
In addition to BLOCKS DAO, substantial losses were also suffered by EcoFi and RENA Finance.
By halting transfers of RVST tokens, the team thwarted the attacker’s attempt (70 secs later) to drain the RVST-ETH pool on Uniswap, avoiding a further $1.15M in losses.
The attacker’s dump of the stolen tokens had a large impact on the price of BLOCKS (initially down >95%, currently down ~80%) and ECO (down ~98%), however the RENA tokens remain untouched in the attackers address.
The root-cause of the attack was due to a reentrancy vulnerability in the ERC1155 minting contract (example tx: RENA)
The function mintAddressLock, used to create new Smart Vaults, contains two critical parameters: quantities and depositAmount.
Revest Vault invokes the mint function of FNFTHandler, to mint quantities of ERC1155(s) with the next fnftId to the recipient(s) which can later be burned in order to claim the position’s proportion of locked tokens. fnftId increments by 1 each time the function is executed.
Source
Final Score
Considering the results presented in every category, the following points have been assigned:
7,16/10 Trustworthiness
4,33/10 Media presence
9/10 Speed
3,27/10 Expertise
5,8/10 Prices and additional services
7,6/10 Quality
The Final Score:
6,73/10
6,73/10
This is the analytic report in a series of reports on the smart contract and blockchain apps auditor market. Presented to you by DSA, it’s guaranteed impartial and factual information on the most well-known, new, and obscure players.
Follow us on Twitter and be the first to know about new reports
Follow us on Twitter and be the first to know about new reports
Haсken Analysis Report
Hacken Defi Security company was founded in 2017 in Kyiv, Ukraine by security specialists and hackers to deliver cybersecurity solutions to companies and individuals, making histories of success.
RugFreeCoins Analysis Report
A company that conducts smart contract security audits and provides token listing and other related services.