Security & Audits

EUROe smart contracts are developed by Membrane Finance in close collaboration with Equilibrium. In addition to thorough internal testing and auditing, all of our production code is audited by third-parties.

Audits

Concordium Implementation

The EUROe smart contracts for Concordium have been developed with help from the Concordium Foundation. The contracts have been subjected to multiple rounds of Membrane's internal reviews in addition to two reviews from the Concordium Foundation.

The smart contracts have been formally audited by Sigma Prime as of commit hash 8c26692. The smart contracts have not been modified since the audit as of 22 Dec 2023, except for commit 6b87d34 which changed the visibility UnBlocklistParams and a change in the metadata URL.

The full audit report is available for download here. Alternatively, you can view the report on Sigma Prime's GitHub here.

EVM Implementations

The EUROe Stablecoin smart contracts have been audited by PeckShield in July 2022 and by Runtime Verification in December 2022. Please find a complete list of the audits, summary of findings, and smart contract changes between and after the audits below. Audits have been bolded.

2022/07 PeckShield

PeckShield completed an audit of the initial EUROe Stablecoin smart contracts in July 2022. At this point the contracts were called "eEURO Token", instead of EUROe, hence the discrepancy in naming.

The audit was started at commit b011a0d and concluded (with changes reviewed up until) commit 02bb9c7.

PeckShield found 1 medium and 1 informational finding. The former was confirmed and the latter resolved.

The full audit report is available for download here. Alternatively, you can view the report on PeckShield's GitHub here.

Changes from 2022/07 to 2022/12

Since the Peckshield audit in July there have been changes to the smart contracts, including but not limited to:

Added a normal mint function in commit 7c7164f
Renamed eEURO to EUROe in commit 3113259
Added rescuer and burner roles in commit e797a6c
Made further name changes in commit 3a57311
Improved contract documentation in commits 72487d9 and cd94c71
Made a change to accepted compiler Solidity versions in commit f11328c
Added a gap to add new variables without shifting down storage in the inheritance chain in commit d194177
Remove support for the renounceRole() -function in commit 4868177

Changes in other commits have focused on deployment scripts, tests, and documentation.

2022/12 Runtime Verification

Runtime Verification completed an audit of the EUROe stablecoin contracts in December 2022. They quickly raised an informational issue on adding a gap to improve contract upgradability which was implemented in d194177. Furthermore, an issue with role renunciation was raised and a fix implemented in 4868177.

The audit formally commenced at commit 4868177.

One high severity finding was raised along with four informational findings. All findings have been addressed since the audit.

The following commits addressed the findings of the Runtime Verification:

56edd84 (tests only)
909ca21 (tests only)
c6bee2f (tests only)
a1469dd (contract change)

The full audit report is available for download here. Alternatively, you can view the report on Runtime Verification's GitHub here.

Changes after 2022/12

There have been no changes to the smart contract logic since the Runtime Verification audit in 2022/12, except for the change #2 below. The following smart contract changes have been implemented since the audit:

A commit was mistakenly made to main branch in commit 2abb003 which was reverted in commit 053522d. Following the incident we have turned on branch-protection in all public repos. All production repos had branch protection turned on.
Change the state-changeness of a overriden function in commit 255439f
Added a legal disclaimer to the contract & modified NatSpec in commit a64c0b9

Solana Implementation

EUROe is implemented as a standard SPL token. For more information about the SPL Token Program, please visit Solana program library (spl.solana.com ↗).

Security & Bugs

EUROe has an active bug bounty. Please refer to our Security and Bugs page for information regarding bug bounties and EUROe security.

Testing

All EUROe systems, including the stablecoin, are subject to rigorous internal and external testing before release. Our testing process includes, but is not limited to, automated unit and E2E tests along with manual review and code & logic audits. All production code is internally peer reviewed. Furthermore, we place a heavy emphasis on system security. Hence, all smart contracts are audited by third-parties.

EVM Implementation JS Tests

You can find the automated stablecoin tests on Github. The test coverage report is available on Github as PDF.

EVM Implementation Foundry Tests

In addition to the JS tests provided above, which are actively maintained, a limited set of Foundry tests is provided in the feat/foundry_tests branch, available on Github.

Solana Implementation Tests

Automated unit & integration tests for the Solana implementation are not publicly available.

Security & Audits

Audits​

Concordium Implementation​

EVM Implementations​

Solana Implementation​

Security & Bugs​

Testing​

EVM Implementation JS Tests​

EVM Implementation Foundry Tests​

Solana Implementation Tests​