Report FOR Smart Contract Audit Report
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 2/11 Index 1. EXECUTIVE SUMMARY ......................................
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 3/11 1. EXECUTIVE SUMMARY OVERVIEW This report documents the result...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 4/11 CONCLUSION The audit allowed the identification of high vulner...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 5/11 2. AUDIT RESULTS Several checks were conducted, according to E...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 6/11 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - H...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 7/11 2.3 OpenerRealFevr – Broken Access Control on deletePack- High...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 8/11 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metad...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 9/11 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low It was ...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 10/11 2.6 OpenerRealFevr – Massive Buys on buyPack - Low The buyPac...
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 11/11 2.7 RealFevr DApp Infrastructure – DApp centralization - Low ...
Aug. 28, 2021
RealFevr Audit Report

Aug. 28, 2021
Smart Contract Audit Report For RealFevr
by Connor Daly SEC

RealFevr Audit Report

  1. 1. Report FOR Smart Contract Audit Report
  2. 2. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 2/11 Index 1. EXECUTIVE SUMMARY ................................................................................................................... 3 Overview .......................................................................................................................................................3 Conclusion ....................................................................................................................................................4 2. AUDIT RESULTS ............................................................................................................................... 5 2.1 OpenerRealFevr – Broken Access Control on offerPack - High .................................................5 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High ............................................6 2.3 OpenerRealFevr – Broken Access Control on deletePack- High ...............................................7 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium ....................8 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low................................................................9 2.6 OpenerRealFevr – Massive Buys on buyPack - Low..................................................................10 2.7 RealFevr DApp Infrastructure – DApp centralization - Low .......................................................11
  3. 3. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 3/11 1. EXECUTIVE SUMMARY OVERVIEW This report documents the results from the Security Audit, with the main goal of evaluating the security of the following Solidity Smart Contracts, which are currently deployed on Binance Smart Chain: • OpenerRealFvr: 0x618DCD507D1dcEDAEd7df0DF54728326fD33D22E • MarketplaceRealFvr: 0xDf8582ED8224BFc79AF801674E6Ce60c80F9F5FB RealFevr DApp infrastructure was also targeted from a theorotical standpoint, no tests were performed due to the lack of authorization form. The Audit was executed mainly in a grey-box approach.
  4. 4. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 4/11 CONCLUSION The audit allowed the identification of high vulnerabilities which could jeopardize integrity of the data processed by the Smart Contract. Such vulnerabilities may have serious impact on decentralization required for this RealFevr project, with an impact on the organization's corporate image.
  5. 5. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 5/11 2. AUDIT RESULTS Several checks were conducted, according to Ethereum Foundation Security Recommendations, performing those checks deemed relevant and applicable to the Smart Contracts. 2.1 OpenerRealFevr – Broken Access Control on offerPack - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes offerPack function, the Smart Contract always gives him permission, allowing him to change pack ownership for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should respect pack ownership, by asserting that pack to be offered does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  6. 6. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 6/11 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes editPackInfo function, the Smart Contract always gives him permission, allowing him to change pack type for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should preserve already bought pack attributes, by asserting that pack to be modified does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  7. 7. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 7/11 2.3 OpenerRealFevr – Broken Access Control on deletePack- High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes deletePack function, the Smart Contract always gives him permission, allowing him to delete an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should not be able to delete already bought packs, by asserting that pack to be deleted does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  8. 8. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 8/11 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium The BEP721 tokens implemented on OpenerRealFevr are only saving their id and relative RealFevr URL, therefore, NFT management becomes centralized on RealFevr Web Servers. Recommendations: • BEP721 data should include at least IPFS link as well as SHA-256 checksum for its media content (on-chain). References: • https://ethereum.org/en/developers/docs/security/ • https://medium.com/@showcaseteam/non-fungible-token-nft-platforms- must-secure-metadata-in-their-erc-721-erc-1155-implementations- 88f55e987fc7
  9. 9. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 9/11 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low It was identified that the OpenerRealFevr has a business logic flaw, because, when the user executes mint function, the Smart Contract always allows him to mint their NFTs, even when the respective pack is still closed. Recommendations: • Smart Contract should respect business logic implemented for this project, by asserting that pack containing the NFT was already opened. References: • https://ethereum.org/en/developers/docs/security/
  10. 10. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 10/11 2.6 OpenerRealFevr – Massive Buys on buyPack - Low The buyPack function on OpenerRealFevr is implemented without protection against automated buys. Although RealFevr DApp enforces rate limiting, automation is still possible by interacting with the Smart Contract, which can cause a degradation of service on both Smart Contract and Frontend. Recommendations: • Implementation of an on-chain control against automated buys for the buyPack Function, for instance, through the implementation of address time lock mechanisms. References: • https://ethereum.org/en/developers/docs/security/
  11. 11. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 11/11 2.7 RealFevr DApp Infrastructure – DApp centralization - Low The RealFevr DApp is mainly deployed in a centralized way. In the event of an outage affecting whether self-hosted or AWS-hosted servers, RealFevr DApp may become unavailable. Thus, would not be possible to access at least NFT contents (see Vulnerability 2.4). Recommendations: • Configure alternative decentralized domains such as ENS. • Deploy RealFevr DApp pages in a decentralized way. IPFS usage is recommended. References: • https://ethereum.org/en/developers/docs/security/ • https://ens.domains/ • https://unstoppabledomains.com/ • https://ipfs.io/

Smart Contract Audit Report For RealFevr by Connor Daly SEC

