Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
Code UP is a tower-building strategy game fused with DeFi mechanics.
Players deposit gameETH to hire “builders.” Every 40 builders mints one CUP ERC-20 reward. While towers accrue yield over time, the protocol automatically swaps surplus WETH for CUP and seeds Uniswap V2 liquidity so the token has instant market depth.
Why Did They Need an Audit?
The game juggles multiple cash-flows (player deposits, yield payouts, trading commissions, LP seeding) and relies on precise accounting to remain solvent. An error in pool-creation sequencing, share math, or rounding could let attackers lock the protocol or bleed its ETH reserves. Code UP engaged Three Sigma for a one-week deep audit ahead of launch on Arbitrum, Ethereum, Optimism, Base, and Polygon.
Description: Anyone could create the CUP/WETH pair beforeclaimCodeupERC20() ran, causing the function to revert forever and blocking liquidity deployment.
Resolution: the contract now skips createPair() entirely and instead queries getPair() after addLiquidity, ensuring the address is set whether or not the pool existed beforehand.
Lossy ETH payouts on partial balance
Description: withdraw() and reinvest() zeroed each tower’s gameETHForWithdraw even when the contract lacked enough ETH to satisfy all claims, letting early callers drain the pot and erasing later players’ balances.
Resolution: the variable is now reduced pro-rata to the actual ETH sent, safeguarding residual credit for subsequent withdrawals.
Protocol insolvency through untracked totals
Description: Neither total ETH nor total issued gameETH were tracked; with compound upgrades a player could withdraw more ETH than deposited after ~16 hours, inevitably bankrupting the pool once new deposits slowed.
Resolution: added global supply counters, capped gameETH purchase to remaining upgrade cost, and redirected leftover WETH fees into locked liquidity.
Notable High-Severity Issues
Rounding-error fee leakage
Description: Because gameETH = amount / price used integer division with zero decimals, users lost up to 1e-12 ETH per purchase—insignificant individually but material at scale.
Resolution: Introduced 18-dec precision by scaling upgrade prices and yields and lowering gameETHPrice.
Severity Issues
critical
high
4
informational
5
medium
1
low
2
Audit Period
1 PW
Report
Audit Period
1 PW
Severity Issues
critical
high
4
medium
1
low
2
informational
5
Report
In conclusion
Three Sigma’s audit surfaced three critical design flaws that could have halted pool creation, erased player balances, or bankrupted the protocol. After implementing the recommended fixes—robust pair detection, proportional withdrawal logic, precise supply accounting, and high-precision math—Code UP can safely reward tower builders and sustain its in-game economy across multiple chains.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
