Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

ViWo Info

www.viwoapp.org

ViWo — a revolutionary digital platform proudly created and owned by SmarTech LLC, a USA-verified technology innovator with over 17 years of excellence. ViWo fuses social media, decentralized marketplaces, and blockchain technology into one seamless ecosystem. Powered by V-Coin, ViWo lets users monetize content, trade digital and physical products, and grow their wealth — all with zero transaction fees. With eco-friendly initiatives and immersive Augmented Reality (AR) integration, ViWo is built for the future.

ViWo Logo
Onboarded date 14/03/2025

Team and KYC Verification

The team has securely submitted their personal information to SolidProof.io for verification.

In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

99.90
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language JavaScript / TypeScript
Onboard date 2025/03/14
Revision date In progress

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Ownership is not renounced

Contract can be manipulated by owner functions.

Contract is upgradeable

The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.

Scope of Work

This audit encompasses the evaluation of the VCoin token implementation project, including token creation, distribution, presale, and vesting management modules. The codebase consists primarily of TypeScript modules interfacing with Solana's Token-2022 program.

The auditing process consists of the following systematic steps:

  1. Documentation Review: Analysis of provided technical documentation and security audit guide to fully understand the project's architecture, component interactions, and security requirements.
  2. Manual Code Examination: Thorough module-by-module review of the VCoin implementation, focusing on security-critical components like keypair management, token transfers, and authorization checks.
  3. Implementation Validation: Verification that the code accurately implements the intended token features, security controls, and error handling as specified in the documentation.
  4. Test Coverage Assessment: Evaluation of the extensive test suite (94% statement coverage, 81% branch coverage) to identify any potential gaps in security testing.
  5. Static Analysis: Utilization of static analysis tools including Qodana to identify code quality issues and potential vulnerabilities through automated means.
  6. Security Control Evaluation: Assessment of cryptographic implementations, validation mechanisms, error handling, and authority verification against established security best practices.
  7. Actionable Recommendations: Provision of specific and prioritized recommendations to address identified vulnerabilities, with an emphasis on private key management, authority verification, and data integrity enhancements.

Our security audit covers the TypeScript implementation as provided. The audit specifically focuses on the backend code and does not include review of any smart contracts or on-chain programs beyond their interaction points with this codebase.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

The VCoin implementation demonstrates strong security improvements since the initial audit, with significant enhancements to key management, input validation, cryptographic operations, and price oracle implementation. The codebase maintains a well-structured, modular architecture and now shows advanced security awareness through its implementation of encryption, digital signatures, and comprehensive rate limiting.

Our assessment found that most critical and high-severity issues have been successfully addressed, with only minor concerns remaining. The most significant improvements involve authority verification, transaction synchronization, and enhanced security mechanisms.

Technical Assessment

The code architecture continues to follow good separation of concerns with utilities centralized in common modules. Security improvements are evident in the implementation of AES-256-GCM encryption for keypair storage, proper digital signatures for metadata integrity, and robust fallback mechanisms for price oracles.

Key improvements include:

  • Encrypted storage for sensitive keypair information
  • Masked command line input for private keys
  • Multi-source price oracle implementation with fallbacks
  • Comprehensive rate limiting for financial operations
  • Proper path traversal protection and input validation
  • Thread-safe file operations with proper locking mechanisms
Audit Checklist Completion

Our re-audit has verified significant progress on all items from the VCoin Security Audit Guide:

  • Keypair Management: ✅ Fixed critical issues with storage and handling through encryption
  • Transaction Security: ✅ Fixed with improved balance verification and transaction synchronization
  • Input Validation: ✅ Fixed gaps in path validation and public key input handling
  • Authorization: ✅ Fixed with standardized verification functions consistently used
  • Error Handling: ⚠️ Partially fixed with custom error types but inconsistent application
  • File System Operations: ✅ Fixed issues with permission settings, path validation and synchronization
Recommendations

We recommend addressing these remaining improvements before production deployment:

  1. Standardize error handling with consistent use of custom error types
  2. Improve API error logging to capture complete error details
  3. Make timeout values for network requests configurable

With these improvements, the VCoin implementation will provide a robust security posture appropriate for a financial application handling user assets.

Note - This Audit report consists of a security analysis of the VCoin backend. This analysis did not include functional testing (or unit testing) of the contract's logic. Moreover, we only audited the codebase for the VCoin team. Other systems associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Findings and Audit result

Critical
High
Medium
Low
1
Optimization
Informational
critical Issues | 1 findings

Resolved

#1 critical Issue
Unprotected Private Key Input
create-token.ts
L86
Description

The function getKeypairFromPhantom() accepts private keys directly from command line input, exposing keys to command history, process listing, and potential shoulder surfing.

Comments

Remove direct CLI input of private keys. Instead, implement hardware wallet integration, environment variables with proper permissions, or keystore files with password protection. If CLI input must be used, disable echo and clear process memory after use.

high Issues | 4 findings

Resolved

#1 high Issue
Unencrypted Storage of Keypairs
utils.ts
L202-203
Description

Private keys are stored as unencrypted JSON files, making them vulnerable if the filesystem is compromised.

Comments

Implement encryption for keypair files with a master password or system-level security mechanisms. Consider using OS keychain/keyring services or hardware security modules for critical keys.

Resolved

#2 high Issue
Inconsistent Authority Verification
allocate-token.ts, update-metadata.ts
LMultiple
Description

The codebase uses different methods to verify authorities - publicKey.equals() in some places and string comparison in others, which can lead to inconsistent security enforcement.

Comments

While utils.ts now has a standardized verifyAuthority function, it is not used consistently across the codebase: - used in authority-controls.ts (line 267-269)

Resolved

#3 high Issue
Weak Metadata Integrity Protection
utils.ts
L324-348
Description

The metadata integrity is only protected by a SHA-256 checksum without binding to the authority, allowing potential tampering if the checksum is known. Relying solely on a checksum (without digital signatures) can be less robust, especially if an attacker can recalculate and update the checksum.

Comments

Implement digital signatures for metadata files instead of simple checksums. The authority should sign the metadata, and verification should check both the integrity and the authenticity.

Resolved

#4 high Issue
Mock Oracle Usage Without Warning
presale.ts
L28-31
Description

Price conversion uses a mock function getUsdToSolRate() that returns a hardcoded value (50) without any indication that it's not a real oracle.

Comments

Clearly mark this as development-only code and implement integration with a proper price oracle (Pyth, Chainlink) for production use. Add a warning if using the mock in non-development environments.

medium Issues | 6 findings

Resolved

#1 medium Issue
Race Conditions in Token Transfer and Vesting Operations
presale.ts, vesting.ts
LMultiple
Description

The codebase lacks proper synchronization mechanisms when performing token transfers and vesting operations. Multiple concurrent operations could lead to data corruption, lost updates, double-spending, or duplicate vesting releases due to the load-process-save pattern used without any locking mechanisms.

Comments

The code now includes checks for atomic operations in some places, but lacks proper transaction locking mechanisms across the codebase. File-based storage for financial data remains a concern.

Resolved

#2 medium Issue
Lack of Rate Limiting on Presale Purchase Endpoint
presale.ts
L105-185
Description

The presale purchase functionality currently does not enforce rate limiting, which could allow an attacker to flood the system with requests. Rapid, repeated calls to processPurchase in presale.ts might lead to a denial of service or allow brute force purchase attempts.

Comments

Integrate rate limiting or throttling mechanisms at the CLI or API level to mitigate potential abuse. Implement time-based rate limiting per buyer address, add purchase caps for transaction amounts, develop persistent tracking of purchase patterns, and consider using an API gateway with built-in rate limiting features if exposing functionality as an API.

Resolved

#3 medium Issue
Path Traversal Protection Weaknesses
utils.ts
L168-170
Description

Path validation in validateKeypairName() uses string includes() checks which may be bypassed with certain inputs.

Comments

Use path normalization libraries like path.normalize() and explicitly check that resulting paths are within the intended directory. Implement a whitelist approach rather than blacklisting problematic characters.

Resolved

#4 medium Issue
Missing Vesting Token Balance Verification
vesting.ts
L198-208
Description

The executeRelease() function doesn't verify if there are sufficient tokens before attempting a transfer.

Comments

Add explicit balance verification with getAccount() before processing releases to fail gracefully before attempted transfers:

Resolved

#5 medium Issue
Inadequate Password Generation for Production Use
utils.ts
L413-423
Description

The generateRandomPassword function in utils.ts is used for generating passwords when creating encrypted keypairs, but it triggers a console warning about not being suitable for production use.

Comments

Implement a more secure password generation mechanism for production environments. Consider forcing interactive password entry or requiring a secure password through environment variables when in production mode.

Resolved

#6 medium Issue
Lack of Signature Verification for Configuration Files
authority-controls.ts
LMultiple
Description

The authority-controls.ts file implements signed configurations, but the signature verification may not be performed consistently across all code paths.

Comments

Ensure all configuration loading operations verify signatures before using the data, and consider implementing a secure configuration versioning system.

low Issues | 1 findings

Resolved

#1 low Issue
Insufficient Input Validation for Public Keys
presale.ts
L141
Description

The processPurchase() function doesn't validate that the buyer address is a valid Solana public key before attempting to use it.

Comments

Add validation for all public key inputs: try { new PublicKey(buyerAddress); } catch (error) { throw new Error(`Invalid buyer address: ${buyerAddress}`); }

optimization Issues | 2 findings

Resolved

#1 optimization Issue
Hardcoded SOL Balance Thresholds
allocate-token.ts
L79-82
Description

Several modules use hardcoded SOL thresholds (e.g., 0.1 SOL) for balance checks, making them inflexible to network conditions.

Comments

Make thresholds configurable through environment variables or configuration files, allowing adjustment based on network fees and token value.

Pending

#2 optimization Issue
Inconsistent Error Handling
Multiple
-
Description

Error handling varies across modules, with some using the custom handleError() function and others using direct throws or console.error logging.

Comments

The codebase now includes customized error classes in utils.ts. However, these are not consistently used throughout the codebase.

informational Issues | 1 findings

Resolved

#1 informational Issue
Unsound type guard check
utils.ts
L161-164
Description

'typeof' check is always false: 'keyName' always has type 'string'