SlideShare a Scribd company logo

Smart Contract Audit Report Summary

C
ConnorDaly14

The audit report summarizes security issues found in smart contracts and infrastructure for the RealFevr project. High vulnerabilities were found that could compromise data integrity, including broken access controls allowing the contract owner to change pack attributes. Additional issues included lack of sufficient metadata stored on NFT tokens, potential for automated buying, and centralization risks from relying on self-hosted servers. Recommendations included strengthening access controls, storing more data on-chain, rate limiting buys, and deploying in a more decentralized manner.

Economy & Finance
1 of 11
Download to read offline
Report FOR Smart Contract Audit Report
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 2/11 Index 1. EXECUTIVE SUMMARY ................................................................................................................... 3 Overview .......................................................................................................................................................3 Conclusion ....................................................................................................................................................4 2. AUDIT RESULTS ............................................................................................................................... 5 2.1 OpenerRealFevr – Broken Access Control on offerPack - High .................................................5 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High ............................................6 2.3 OpenerRealFevr – Broken Access Control on deletePack- High ...............................................7 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium ....................8 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low................................................................9 2.6 OpenerRealFevr – Massive Buys on buyPack - Low..................................................................10 2.7 RealFevr DApp Infrastructure – DApp centralization - Low .......................................................11
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 3/11 1. EXECUTIVE SUMMARY OVERVIEW This report documents the results from the Security Audit, with the main goal of evaluating the security of the following Solidity Smart Contracts, which are currently deployed on Binance Smart Chain: • OpenerRealFvr: 0x618DCD507D1dcEDAEd7df0DF54728326fD33D22E • MarketplaceRealFvr: 0xDf8582ED8224BFc79AF801674E6Ce60c80F9F5FB RealFevr DApp infrastructure was also targeted from a theorotical standpoint, no tests were performed due to the lack of authorization form. The Audit was executed mainly in a grey-box approach.
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 4/11 CONCLUSION The audit allowed the identification of high vulnerabilities which could jeopardize integrity of the data processed by the Smart Contract. Such vulnerabilities may have serious impact on decentralization required for this RealFevr project, with an impact on the organization's corporate image.
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 5/11 2. AUDIT RESULTS Several checks were conducted, according to Ethereum Foundation Security Recommendations, performing those checks deemed relevant and applicable to the Smart Contracts. 2.1 OpenerRealFevr – Broken Access Control on offerPack - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes offerPack function, the Smart Contract always gives him permission, allowing him to change pack ownership for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should respect pack ownership, by asserting that pack to be offered does not have owner. References: • https://ethereum.org/en/developers/docs/security/
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 6/11 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes editPackInfo function, the Smart Contract always gives him permission, allowing him to change pack type for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should preserve already bought pack attributes, by asserting that pack to be modified does not have owner. References: • https://ethereum.org/en/developers/docs/security/
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 7/11 2.3 OpenerRealFevr – Broken Access Control on deletePack- High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes deletePack function, the Smart Contract always gives him permission, allowing him to delete an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should not be able to delete already bought packs, by asserting that pack to be deleted does not have owner. References: • https://ethereum.org/en/developers/docs/security/
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 8/11 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium The BEP721 tokens implemented on OpenerRealFevr are only saving their id and relative RealFevr URL, therefore, NFT management becomes centralized on RealFevr Web Servers. Recommendations: • BEP721 data should include at least IPFS link as well as SHA-256 checksum for its media content (on-chain). References: • https://ethereum.org/en/developers/docs/security/ • https://medium.com/@showcaseteam/non-fungible-token-nft-platforms- must-secure-metadata-in-their-erc-721-erc-1155-implementations- 88f55e987fc7
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 9/11 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low It was identified that the OpenerRealFevr has a business logic flaw, because, when the user executes mint function, the Smart Contract always allows him to mint their NFTs, even when the respective pack is still closed. Recommendations: • Smart Contract should respect business logic implemented for this project, by asserting that pack containing the NFT was already opened. References: • https://ethereum.org/en/developers/docs/security/
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 10/11 2.6 OpenerRealFevr – Massive Buys on buyPack - Low The buyPack function on OpenerRealFevr is implemented without protection against automated buys. Although RealFevr DApp enforces rate limiting, automation is still possible by interacting with the Smart Contract, which can cause a degradation of service on both Smart Contract and Frontend. Recommendations: • Implementation of an on-chain control against automated buys for the buyPack Function, for instance, through the implementation of address time lock mechanisms. References: • https://ethereum.org/en/developers/docs/security/
CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 11/11 2.7 RealFevr DApp Infrastructure – DApp centralization - Low The RealFevr DApp is mainly deployed in a centralized way. In the event of an outage affecting whether self-hosted or AWS-hosted servers, RealFevr DApp may become unavailable. Thus, would not be possible to access at least NFT contents (see Vulnerability 2.4). Recommendations: • Configure alternative decentralized domains such as ENS. • Deploy RealFevr DApp pages in a decentralized way. IPFS usage is recommended. References: • https://ethereum.org/en/developers/docs/security/ • https://ens.domains/ • https://unstoppabledomains.com/ • https://ipfs.io/

Recommended

ArcSight Connector Appliance 6.4 Administrator's Guide
ArcSight Connector Appliance 6.4 Administrator's GuideArcSight Connector Appliance 6.4 Administrator's Guide
ArcSight Connector Appliance 6.4 Administrator's GuideProtect724tk
 
V mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paperV mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paperChiến Nguyễn
 
Netop Remote Control Security Overview
Netop Remote Control Security OverviewNetop Remote Control Security Overview
Netop Remote Control Security OverviewNetop
 
Transparent proxy
Transparent proxyTransparent proxy
Transparent proxyMuhammad Iqbal
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0KennyNajarro2
 
B28654oas10g best pracitice
B28654oas10g best praciticeB28654oas10g best pracitice
B28654oas10g best praciticeCaipei Chen
 
Hyper v admin-aos-v510
Hyper v admin-aos-v510Hyper v admin-aos-v510
Hyper v admin-aos-v510Suhaimi Mie
 
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...jackdowning
 

Recommended

ArcSight Connector Appliance 6.4 Administrator's Guide
ArcSight Connector Appliance 6.4 Administrator's GuideArcSight Connector Appliance 6.4 Administrator's Guide
ArcSight Connector Appliance 6.4 Administrator's GuideProtect724tk
 
V mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paperV mware service-def-private-cloud-11q1-white-paper
V mware service-def-private-cloud-11q1-white-paperChiến Nguyễn
 
Netop Remote Control Security Overview
Netop Remote Control Security OverviewNetop Remote Control Security Overview
Netop Remote Control Security OverviewNetop
 
Transparent proxy
Transparent proxyTransparent proxy
Transparent proxyMuhammad Iqbal
 
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0KennyNajarro2
 
B28654oas10g best pracitice
B28654oas10g best praciticeB28654oas10g best pracitice
B28654oas10g best praciticeCaipei Chen
 
Hyper v admin-aos-v510
Hyper v admin-aos-v510Hyper v admin-aos-v510
Hyper v admin-aos-v510Suhaimi Mie
 
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...
IBM Sametime Unified Telephony Lite Client: Configuring SIP trunks to third-p...jackdowning
 
InfoPay v5 Developers Manual
InfoPay v5 Developers ManualInfoPay v5 Developers Manual
InfoPay v5 Developers ManualBrenton Goldthwaite
 
connectivity_service.pdf
connectivity_service.pdfconnectivity_service.pdf
connectivity_service.pdfJagadish Babu
 
Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286Protect724gopi
 
B13922
B13922B13922
B13922Gustavo Medina
 
Fortigate vm-install-50
Fortigate vm-install-50Fortigate vm-install-50
Fortigate vm-install-50Coi Xay
 
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...Thorne & Derrick International
 
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4Yusuf Hadiwinata Sutandar
 
Forti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licenciaForti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licenciaMarco LANDA
 
advancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularityadvancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularityStefano Marzani
 
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Developmentjdavidmcmahon3
 
PharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperabilityPharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperabilityPharmaLedger
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
NetApp VM .tr-3749
NetApp VM .tr-3749NetApp VM .tr-3749
NetApp VM .tr-3749Accenture
 
testupload
testuploadtestupload
testuploadadmiralderp
 
baz
bazbaz
bazMatthew Chun-Lum
 
testuploadafter
testuploadaftertestuploadafter
testuploadafteradmiralderp
 
testupload
testuploadtestupload
testuploadadmiralderp
 
testupload
testuploadtestupload
testuploadadmiralderp
 
testupload
testuploadtestupload
testuploadadmiralderp
 
test3
test3test3
test3Matthew Chun-Lum
 
Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfMichael Silva
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spiritegoetzinger
 

More Related Content

Similar to Smart Contract Audit Report Summary

connectivity_service.pdf
connectivity_service.pdfconnectivity_service.pdf
connectivity_service.pdfJagadish Babu
 
Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286Protect724gopi
 
Fortigate vm-install-50
Fortigate vm-install-50Fortigate vm-install-50
Fortigate vm-install-50Coi Xay
 
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...Thorne & Derrick International
 
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4Yusuf Hadiwinata Sutandar
 
Forti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licenciaForti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licenciaMarco LANDA
 
advancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularityadvancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularityStefano Marzani
 
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Developmentjdavidmcmahon3
 
PharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperabilityPharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperabilityPharmaLedger
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
NetApp VM .tr-3749
NetApp VM .tr-3749NetApp VM .tr-3749
NetApp VM .tr-3749Accenture
 

Similar to Smart Contract Audit Report Summary (20)

InfoPay v5 Developers Manual
InfoPay v5 Developers ManualInfoPay v5 Developers Manual
InfoPay v5 Developers Manual
 
connectivity_service.pdf
connectivity_service.pdfconnectivity_service.pdf
connectivity_service.pdf
 
Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286Forwarding Connector Configuration Guide 7.0.7.7286
Forwarding Connector Configuration Guide 7.0.7.7286
 
B13922
B13922B13922
B13922
 
Fortigate vm-install-50
Fortigate vm-install-50Fortigate vm-install-50
Fortigate vm-install-50
 
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
SP Energy Networks Approved Equipment Register - LV MV Joints & Terminations ...
 
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
Cloud Forms Iaa S V2wp 6299847 0411 Dm Web 4
 
Forti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licenciaForti analyzer vm-v-mware-install-guide-licencia
Forti analyzer vm-v-mware-install-guide-licencia
 
advancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularityadvancing-the-automotive-industry-by-collaboration-and-modularity
advancing-the-automotive-industry-by-collaboration-and-modularity
 
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
451\'s Conducting The Cloud Orchestration With A Focus On Test & Development
 
PharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperabilityPharmaLedger – Blockchain platform modifications and interoperability
PharmaLedger – Blockchain platform modifications and interoperability
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC edition
 
NetApp VM .tr-3749
NetApp VM .tr-3749NetApp VM .tr-3749
NetApp VM .tr-3749
 
testupload
testuploadtestupload
testupload
 
baz
bazbaz
baz
 
testuploadafter
testuploadaftertestuploadafter
testuploadafter
 
testupload
testuploadtestupload
testupload
 
testupload
testuploadtestupload
testupload
 
testupload
testuploadtestupload
testupload
 
test3
test3test3
test3
 

Recently uploaded

Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfMichael Silva
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spiritegoetzinger
 
The Economic History of the U.S. Lecture 26.pdf
The Economic History of the U.S. Lecture 26.pdfThe Economic History of the U.S. Lecture 26.pdf
The Economic History of the U.S. Lecture 26.pdfGale Pooley
 
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...Pooja Nehwal
 
Dividend Policy and Dividend Decision Theories.pptx
Dividend Policy and Dividend Decision Theories.pptxDividend Policy and Dividend Decision Theories.pptx
Dividend Policy and Dividend Decision Theories.pptxanshikagoel52
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...Call Girls in Nagpur High Profile
 
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptxFinTech Belgium
 
The Economic History of the U.S. Lecture 20.pdf
The Economic History of the U.S. Lecture 20.pdfThe Economic History of the U.S. Lecture 20.pdf
The Economic History of the U.S. Lecture 20.pdfGale Pooley
 
The Economic History of the U.S. Lecture 22.pdf
The Economic History of the U.S. Lecture 22.pdfThe Economic History of the U.S. Lecture 22.pdf
The Economic History of the U.S. Lecture 22.pdfGale Pooley
 
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptxFinTech Belgium
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Pooja Nehwal
 
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsHigh Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...Call Girls in Nagpur High Profile
 
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryMalad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryPooja Nehwal
 
The Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdfThe Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdfGale Pooley
 

Recently uploaded (20)

Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdf
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spirit
 
The Economic History of the U.S. Lecture 26.pdf
The Economic History of the U.S. Lecture 26.pdfThe Economic History of the U.S. Lecture 26.pdf
The Economic History of the U.S. Lecture 26.pdf
 
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...
Dharavi Russian callg Girls, { 09892124323 } || Call Girl In Mumbai ...
 
Dividend Policy and Dividend Decision Theories.pptx
Dividend Policy and Dividend Decision Theories.pptxDividend Policy and Dividend Decision Theories.pptx
Dividend Policy and Dividend Decision Theories.pptx
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
 
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
 
The Economic History of the U.S. Lecture 20.pdf
The Economic History of the U.S. Lecture 20.pdfThe Economic History of the U.S. Lecture 20.pdf
The Economic History of the U.S. Lecture 20.pdf
 
The Economic History of the U.S. Lecture 22.pdf
The Economic History of the U.S. Lecture 22.pdfThe Economic History of the U.S. Lecture 22.pdf
The Economic History of the U.S. Lecture 22.pdf
 
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANIKA) Budhwar Peth Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
 
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
 
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
 
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsHigh Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
 
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
 
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryMalad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
 
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
(Vedika) Low Rate Call Girls in Pune Call Now 8250077686 Pune Escorts 24x7
 
The Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdfThe Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdf
 

Smart Contract Audit Report Summary

  • 2. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 2/11 Index 1. EXECUTIVE SUMMARY ................................................................................................................... 3 Overview .......................................................................................................................................................3 Conclusion ....................................................................................................................................................4 2. AUDIT RESULTS ............................................................................................................................... 5 2.1 OpenerRealFevr – Broken Access Control on offerPack - High .................................................5 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High ............................................6 2.3 OpenerRealFevr – Broken Access Control on deletePack- High ...............................................7 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium ....................8 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low................................................................9 2.6 OpenerRealFevr – Massive Buys on buyPack - Low..................................................................10 2.7 RealFevr DApp Infrastructure – DApp centralization - Low .......................................................11
  • 3. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 3/11 1. EXECUTIVE SUMMARY OVERVIEW This report documents the results from the Security Audit, with the main goal of evaluating the security of the following Solidity Smart Contracts, which are currently deployed on Binance Smart Chain: • OpenerRealFvr: 0x618DCD507D1dcEDAEd7df0DF54728326fD33D22E • MarketplaceRealFvr: 0xDf8582ED8224BFc79AF801674E6Ce60c80F9F5FB RealFevr DApp infrastructure was also targeted from a theorotical standpoint, no tests were performed due to the lack of authorization form. The Audit was executed mainly in a grey-box approach.
  • 4. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 4/11 CONCLUSION The audit allowed the identification of high vulnerabilities which could jeopardize integrity of the data processed by the Smart Contract. Such vulnerabilities may have serious impact on decentralization required for this RealFevr project, with an impact on the organization's corporate image.
  • 5. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 5/11 2. AUDIT RESULTS Several checks were conducted, according to Ethereum Foundation Security Recommendations, performing those checks deemed relevant and applicable to the Smart Contracts. 2.1 OpenerRealFevr – Broken Access Control on offerPack - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes offerPack function, the Smart Contract always gives him permission, allowing him to change pack ownership for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should respect pack ownership, by asserting that pack to be offered does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  • 6. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 6/11 2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes editPackInfo function, the Smart Contract always gives him permission, allowing him to change pack type for an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should preserve already bought pack attributes, by asserting that pack to be modified does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  • 7. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 7/11 2.3 OpenerRealFevr – Broken Access Control on deletePack- High It was identified that the OpenerRealFevr is not validating the user permissions correctly, because, when the contract owner executes deletePack function, the Smart Contract always gives him permission, allowing him to delete an already bought pack. Thus, such behavior introduces a point of centralization. Recommendations: • Smart Contract should not be able to delete already bought packs, by asserting that pack to be deleted does not have owner. References: • https://ethereum.org/en/developers/docs/security/
  • 8. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 8/11 2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium The BEP721 tokens implemented on OpenerRealFevr are only saving their id and relative RealFevr URL, therefore, NFT management becomes centralized on RealFevr Web Servers. Recommendations: • BEP721 data should include at least IPFS link as well as SHA-256 checksum for its media content (on-chain). References: • https://ethereum.org/en/developers/docs/security/ • https://medium.com/@showcaseteam/non-fungible-token-nft-platforms- must-secure-metadata-in-their-erc-721-erc-1155-implementations- 88f55e987fc7
  • 9. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 9/11 2.5 OpenerRealFevr – Business Logic Flaw on mint - Low It was identified that the OpenerRealFevr has a business logic flaw, because, when the user executes mint function, the Smart Contract always allows him to mint their NFTs, even when the respective pack is still closed. Recommendations: • Smart Contract should respect business logic implemented for this project, by asserting that pack containing the NFT was already opened. References: • https://ethereum.org/en/developers/docs/security/
  • 10. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 10/11 2.6 OpenerRealFevr – Massive Buys on buyPack - Low The buyPack function on OpenerRealFevr is implemented without protection against automated buys. Although RealFevr DApp enforces rate limiting, automation is still possible by interacting with the Smart Contract, which can cause a degradation of service on both Smart Contract and Frontend. Recommendations: • Implementation of an on-chain control against automated buys for the buyPack Function, for instance, through the implementation of address time lock mechanisms. References: • https://ethereum.org/en/developers/docs/security/
  • 11. CONNOR DALY SEC INDEPENDENT CONSULTING RealFevr Report 11/11 2.7 RealFevr DApp Infrastructure – DApp centralization - Low The RealFevr DApp is mainly deployed in a centralized way. In the event of an outage affecting whether self-hosted or AWS-hosted servers, RealFevr DApp may become unavailable. Thus, would not be possible to access at least NFT contents (see Vulnerability 2.4). Recommendations: • Configure alternative decentralized domains such as ENS. • Deploy RealFevr DApp pages in a decentralized way. IPFS usage is recommended. References: • https://ethereum.org/en/developers/docs/security/ • https://ens.domains/ • https://unstoppabledomains.com/ • https://ipfs.io/