Back to digitizeworx's contests

Brahma - digitizeworx's results

Brahma Console is a custody and DeFi execution environment.

General Information

Platform: Code4rena

Start Date: 13/10/2023

Pot Size: $31,250 USDC

Total HM: 4

Participants: 51

Period: 7 days

Judge: 0xsomeone

Id: 295

League: ETH

Brahma

Findings Distribution

Researcher Performance

Rank: 48/51

Findings: 1

Award: $14.47

Analysis:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBrahma

Findings Information

🌟 Selected for report: niroh

Also found by: 0xDetermination, 0xSmartContract, 0xbrett8571, 0xdice91, 0xweb3boy, Bauchibred, Bube, DadeKuma, JCK, K42, LinKenji, Myd, SAAJ, ZanyBonzy, albahaca, castle_chain, catellatech, digitizeworx, emerald7017, fouzantanveer, hunter_w3b, invitedtea, m4ttm, rahul, xiao

Awards

14.466 USDC - $14.47

Labels

analysis-advanced
grade-b
sufficient quality report
A-14

External Links

Link to GitHub issue

Brahma Console Codebase Analysis

Overview

Brahma Console is a custody and DeFi execution environment built on Gnosis Safe contracts. It provides users with automation and isolation via Console Accounts and SubAccounts. This report analyzes the codebase architecture, security, and risks.

Architecture

Brahma Console consists of core contracts like AddressProvider, registries, and services. It also utilizes external contracts from Gnosis Safe and other DeFi protocols.

Key Contracts

  • AddressProvider - Single source of truth for contract addresses
  • PolicyValidator - Validates policy signatures on transactions
  • TransactionValidator - Additional transaction validation logic
  • SafeDeployer - Deploys Console Accounts and SubAccounts
  • WalletRegistry - Maps wallets and subaccounts

Architecture Recommendations

  • Modular architecture makes components reusable and upgradable
  • Separation of concerns between core contracts
  • Use of well-audited external contracts like Gnosis Safe reduces risk

Security Analysis

Access Control

  • AddressProvider governance is transferrable but protected against unauthorized access
  • Role-based access control used in some registries like ExecutorRegistry
  • Main Console Account has override capabilities and full control

Validation

  • PolicyValidator provides validation of policy signatures
  • TransactionValidator hooks provide additional transaction validation
  • Main Console can override validation checks which acts as a kill switch

SubAccount Isolation

  • SubAccounts have restricted Operator access and enabled modules
  • Main Console Account stays enabled and can regain control
  • Critical configurations are immutable from SubAccount level

Risk Analysis

Centralization Risks

  • Reliance on core contracts like AddressProvider for resolving addresses
  • Some roles like Guardians have centralized control over ecosystem

Systemic Risks

  • Bug in Gnosis Safe or other external contract could impact security
  • Compromise of core contracts like AddressProvider would be serious

Code Quality

  • Use of libraries and constants reduces risk surface
  • Latest Solidity version 0.8.19
  • Tests provide good coverage

Conclusion

The Brahma Console codebase demonstrates good security practices like role-based access control, validation, and modular architecture. Main Console override capabilities provide a centralized kill switch. While reliance on core contracts introduces some centralization, the overall approach reduces systemic risk.

Suggestions

  • Consider using a DAO for some centralized roles like Guardians
  • Expand test coverage for core contracts and integrations
  • Formal verification of critical contracts could prove security properties
  • Runtime checks for policy and module immutability on SubAccounts

Time spent:

3 hours

#0 - c4-pre-sort

2023-10-22T21:15:55Z

raymondfam marked the issue as sufficient quality report

#1 - alex-ppg

2023-10-27T13:27:18Z

The report is decent and lays out correct points, however, they are items that do not necessarily indicate in-depth insight into the Brahma project.

#2 - c4-judge

2023-10-27T13:27:24Z

alex-ppg marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter