Brahma - DadeKuma's results
Brahma Console is a custody and DeFi execution environment.
General Information
Platform: Code4rena
Start Date: 13/10/2023
Pot Size: $31,250 USDC
Total HM: 4
Participants: 51
Period: 7 days
Judge: 0xsomeone
Id: 295
League: ETH
Findings Distribution
Researcher Performance
Rank: 26/51
Findings: 1
Award: $113.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
Findings Information
🌟 Selected for report: niroh
Also found by: 0xDetermination, 0xSmartContract, 0xbrett8571, 0xdice91, 0xweb3boy, Bauchibred, Bube, DadeKuma, JCK, K42, LinKenji, Myd, SAAJ, ZanyBonzy, albahaca, castle_chain, catellatech, digitizeworx, emerald7017, fouzantanveer, hunter_w3b, invitedtea, m4ttm, rahul, xiao
Awards
113.5407 USDC - $113.54
Labels
External Links
Brahma Analysis
Summary
| Id | Title |
|---|---|
| 01 | High-level architecture |
| 02 | Analysis of the codebase |
| 03 | Architecture feedback |
| 04 | Centralization risks |
| 05 | Systemic risks |
[01] High-level architecture
Console Account Overview
SubAccount Overview
[02] Analysis of the codebase
- The codebase of Brahma is well-structured, with clear rules for different parts of the system
- The roles of various accounts like
Console,Subaccount,Executor, and governance are well-defined, making it easy to understand who does what - The codebase appears very secure and lacks obvious bugs; it makes use of secure and well-known frameworks such as Gnosis Safes
- The codebase quality is very high, well-documented, and follows the best industry practices
- Test quality is high. It is recommended to add some fuzzing tests to cover more corner cases
[03] Architecture feedback
- The system allows easy integration of already existing contracts, permitting users to import any type of contract as a console account
- The use of well-defined guard contracts (
SafeModeratorandSafeModeratorOverridable) adds an extra layer of security, ensuring that transactions comply with established policies - The use of registries, such as
ExecutorRegistry,PolicyRegistry, andWalletRegistry, enhances modularity and flexibility, increasing the separation of concerns - The use of Gnosis Safes as console accounts and subaccounts enhances the security aspect, as they are known to be very secure
[04] Centralization risks
There are several centralization risks:
- Governance is supposed to be private and owned by Brahma. It is recommended to use a DAO instead, allowing users to decide and improve the protocol's decentralization
- Governance can modify several important parameters (e.g., adding authorized addresses, adding new registries...)
[05] Systemic risks
There are several systemic risks:
- It's important to ensure compatibility between all versions of Gnosis safes for console accounts, as any version could be imported, instead of being created through
SafeDeployer - Governance can set important parameters but cannot remove them. In case they have bugs or are malicious, the system will be harmed as a whole
- It's recommended to ensure that Subaccounts can't exploit any loopholes to subsidize their permission through the non-obvious use of Gnosis Safe features
Time spent:
16 hours
#0 - c4-pre-sort
2023-10-22T21:17:59Z
raymondfam marked the issue as sufficient quality report
#1 - alex-ppg
2023-10-27T13:20:47Z
The report is concise, brief, and valid in the items it lays out. A solid example of a great report without necessarily being significant in size.
#2 - c4-judge
2023-10-27T13:20:52Z
alex-ppg marked the issue as grade-a