Quantstamp has completed its manual audit of Disciplina’s presale token contracts. Disciplina is a multi-chain blockchain for education and recruitment. It will allow for verified personal profiles based on academic and professional achievements.

Disciplina believes that by storing verifiable data on personal achievements on its blockchain, it can provide benefits to both educational and recruitment fields. Students can show their academic qualifications and achievements to recruiters, and professionals will be able to verify both their education and professional experience. Targeted education is also made possible — where students who achieve certain verifiable milestones can automatically qualify for a certain job.

Quantstamp audited Disciplina’s smart contracts related to its token presale. Quantstamp’s objective was to evaluate the Disciplina ERC20 based contract repository for security-related issues, code quality, and adherence to best-practices. We looked for issues such as transaction-ordering dependence, timestamp dependence, mishandled exceptions, call stack limits, unsafe external calls, integer overflow / underflow, and more.

This full service audit was performed over 5 days by 3 senior engineers from Quantstamp’s auditing team. Using state of the art automated tools to supplement manual processes, we performed an architectural review, did functional testing, computer aided verification, as well as a manual code review. We found a relatively robust token smart contract with a few minor potential vulnerabilities that could be easily and quickly addressed.

The Disciplina token makes significant use of pre-existing library contracts, specifically from OpenZeppelin. As Disciplina token is ERC20-compatible, it does exhibit the “standard” ERC20 race condition between approve and transferFrom (mitigated by increase / decreaseApproval). Furthermore, the contract owner has exclusive control over certain aspects of the smart contract. While not a vulnerability, if the contract owner’s private key is compromised, it is possible for an attacker to:

Arbitrarily mint tokens

Add or remove token allowances

Prematurely end the token minting process

As the Disciplina team explained, they favor this design due to its flexibility. As the token contract is meant for the pre-sale stage only, this centralization of control is viewed as a temporary aspect and bears low risk of attack.

Beyond those mentioned above, Quantstamp had no additional findings of potential vulnerabilities at the time of analysis.

During the audit Quantstamp provided feedback to the Disciplina team on smart contracts security, code quality, and adherence to best-practices. We commend Disciplina’s use of well-audited external libraries, which allowed for relatively minimal modifications to be made while still being able to execute a customized token distribution.

For press inquiries and additional questions, please contact press@quantstamp.com.

For security inquiries or to request an audit, please contact security@quantstamp.com.