CertiK’s Smart Contract Audit for MYKEY’s Ethereum Chain

CertiK | Dec 2, 2019

Article's Poster

MYKEY Lab is a self-sovereign identity system built on multiple public blockchains. Based on the underlying protocol called Key ID, MYKEY Lab aims to be a full stack asset management platform through three key features:

  1. Multi-Chain Wallets: Compatible with multiple smart contract platforms
  2. The Web of Trust: Formulates a Web of Trust based on Verifiable claims between IDs
  3. Safe Data Storage: Decentralized data enclave guarded by ID accounts

Users on the platform are able to control their assets autonomously by freezing or restoring accounts when private keys get lost. Additional functionalities include a universal ID name, anti-spamming, protocol upgradability, comprehensive design for enhanced security, and others.

MYKEY Lab’s Blockchain Application Development

MYKEY Lab builds a one-stop digital life platform for users through digital currency storage, trading, wealth management, and games and communities.

The multi-chain wallet supports multiple smart contract platforms while providing features such as:

  1. Creating wallet
  2. Signing a transaction
  3. Multi-signing
  4. Managing crypto assets
  5. Submitting proposals
  6. Restoring key

In order to ensure a smoother multi-chain wallet process, MYKEY Lab will be able to run on many popular blockchains. MYKEY was launched on EOS during early 2019 and is also set to launch on the Ethereum blockchain by the end of this year. Since each MYKEY account exists in the form of smart contracts, the wallet can’t support blockchains without smart contract features.

In the Web of Trust, MYKEY Lab returns the data sovereignty to the user, which fundamentally protects the user’s privacy rights. Each account contains a universal and unique ID name, an identity account file, and a decentralized secure data enclave controlled by a smart contract.

Due to the open source nature of smart contracts and blockchain, the project chose with work with CertiK to audit the design and implementation of their smart contracts for the release on the Ethereum Network!

To ensure comprehensive protection, the source code was analyzed by CertiK’s Formal Verification engine and manually reviewed by smart contract experts and engineers.

MYKEY System & Workflow Overview

For each MYKEY account, there is a corresponding AccountProxy contract address, not externally owned. While creating a new MYKEY account, MYKEYLab will set as one of the backup keys as a default setting, users can add more backup keys later.

All MYKEY Lab user related data is stored in the AccountStorage contract, including the account admin key, 6 backup operation keys, delayItem, and multi-sign Proposal items.

Similarly, all Logic Modules include transfer, multi-signing proposal, dapp, and account related logic. The LogicManager, which handles all logic contract upgrades, allows contracts to be upgraded due to its business expansion and vulnerability fixes.

The diagram below shows the smart contract wallet design’s workflow process.

Additional Post Audit Recommendations

After careful review of the source code, CertiK recommended a few minor changes that MYKEY Lab updated.

  1. It is best practice to use the pull-over-push pattern for ownership transfer. Openzepplin’s ownable contract is a good reference for consideration.
  2. CertiK recommends emitting event logs for states changing functions. Not only is it effective for history tracing and user behavior analysis, but also safer as users can trigger external calls from outside the contract and not necessarily go through enter()
  3. Given that close() can invoke selfdestruct, a very low level opcode, CertiK recommended emitting the function to prevent any future vulnerability.
  4. The function isActionWithDualSigs() should be changed to a modifier.

Overall we found the smart contracts to follow good practices. With the final update of source code and delivery of the audit report, we conclude that all contracts are structurally sound and not vulnerable to any classically known anti-patterns or security issues.

About CertiK

CertiK leads blockchain security by pioneering the use of cutting-edge Formal Verification technology on smart contracts and blockchains. Unlike traditional security audits, Formal Verification mathematically proves program correctness and hacker-resistance. CertiK was founded by Computer Science professors of Yale University and Columbia University, securing over $5B in assets, including many of the world’s top projects.

The research efforts of CertiK have received grants from IBM and the Ethereum Foundation, and notable investors include Binance Labs, Bitmain, Lightspeed Venture Partners, Matrix Partners, and NEO Global Capital, among others.

To request the audit/verification of your smart contracts, please email audit@certik.org or visit certik.org to submit the request.

Twitter: https://twitter.com/certikorg

Reddit: https://www.reddit.com/r/CertiKOrg/

Telegram: https://t.me/certikorg

LinkedIn: https://www.linkedin.com/company/certik