The audit report summarizes security issues found in smart contracts and infrastructure for the RealFevr project. High vulnerabilities were found that could compromise data integrity, including broken access controls allowing the contract owner to change pack attributes. Additional issues included lack of sufficient metadata stored on NFT tokens, potential for automated buying, and centralization risks from relying on self-hosted servers. Recommendations included strengthening access controls, storing more data on-chain, rate limiting buys, and deploying in a more decentralized manner.
2. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 2/11
Index
1. EXECUTIVE SUMMARY ................................................................................................................... 3
Overview .......................................................................................................................................................3
Conclusion ....................................................................................................................................................4
2. AUDIT RESULTS ............................................................................................................................... 5
2.1 OpenerRealFevr – Broken Access Control on offerPack - High .................................................5
2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High ............................................6
2.3 OpenerRealFevr – Broken Access Control on deletePack- High ...............................................7
2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium ....................8
2.5 OpenerRealFevr – Business Logic Flaw on mint - Low................................................................9
2.6 OpenerRealFevr – Massive Buys on buyPack - Low..................................................................10
2.7 RealFevr DApp Infrastructure – DApp centralization - Low .......................................................11
3. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 3/11
1. EXECUTIVE SUMMARY
OVERVIEW
This report documents the results from the Security Audit, with the main goal of
evaluating the security of the following Solidity Smart Contracts, which are currently
deployed on Binance Smart Chain:
• OpenerRealFvr: 0x618DCD507D1dcEDAEd7df0DF54728326fD33D22E
• MarketplaceRealFvr: 0xDf8582ED8224BFc79AF801674E6Ce60c80F9F5FB
RealFevr DApp infrastructure was also targeted from a theorotical standpoint, no
tests were performed due to the lack of authorization form.
The Audit was executed mainly in a grey-box approach.
4. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 4/11
CONCLUSION
The audit allowed the identification of high vulnerabilities which could jeopardize
integrity of the data processed by the Smart Contract. Such vulnerabilities may
have serious impact on decentralization required for this RealFevr project, with an
impact on the organization's corporate image.
5. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 5/11
2. AUDIT RESULTS
Several checks were conducted, according to Ethereum Foundation Security
Recommendations, performing those checks deemed relevant and applicable to
the Smart Contracts.
2.1 OpenerRealFevr – Broken Access Control on offerPack - High
It was identified that the OpenerRealFevr is not validating the user permissions
correctly, because, when the contract owner executes offerPack function, the
Smart Contract always gives him permission, allowing him to change pack
ownership for an already bought pack. Thus, such behavior introduces a point of
centralization.
Recommendations:
• Smart Contract should respect pack ownership, by asserting that pack to be
offered does not have owner.
References:
• https://ethereum.org/en/developers/docs/security/
6. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 6/11
2.2 OpenerRealFevr – Broken Access Control on editPackInfo - High
It was identified that the OpenerRealFevr is not validating the user permissions
correctly, because, when the contract owner executes editPackInfo function, the
Smart Contract always gives him permission, allowing him to change pack type for
an already bought pack. Thus, such behavior introduces a point of centralization.
Recommendations:
• Smart Contract should preserve already bought pack attributes, by asserting
that pack to be modified does not have owner.
References:
• https://ethereum.org/en/developers/docs/security/
7. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 7/11
2.3 OpenerRealFevr – Broken Access Control on deletePack- High
It was identified that the OpenerRealFevr is not validating the user permissions
correctly, because, when the contract owner executes deletePack function, the
Smart Contract always gives him permission, allowing him to delete an already
bought pack. Thus, such behavior introduces a point of centralization.
Recommendations:
• Smart Contract should not be able to delete already bought packs, by
asserting that pack to be deleted does not have owner.
References:
• https://ethereum.org/en/developers/docs/security/
8. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 8/11
2.4 OpenerRealFevr – BEP721 Tokens are not saving enough metadata - Medium
The BEP721 tokens implemented on OpenerRealFevr are only saving their id and
relative RealFevr URL, therefore, NFT management becomes centralized on
RealFevr Web Servers.
Recommendations:
• BEP721 data should include at least IPFS link as well as SHA-256 checksum for
its media content (on-chain).
References:
• https://ethereum.org/en/developers/docs/security/
• https://medium.com/@showcaseteam/non-fungible-token-nft-platforms-
must-secure-metadata-in-their-erc-721-erc-1155-implementations-
88f55e987fc7
9. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 9/11
2.5 OpenerRealFevr – Business Logic Flaw on mint - Low
It was identified that the OpenerRealFevr has a business logic flaw, because, when
the user executes mint function, the Smart Contract always allows him to mint their
NFTs, even when the respective pack is still closed.
Recommendations:
• Smart Contract should respect business logic implemented for this project,
by asserting that pack containing the NFT was already opened.
References:
• https://ethereum.org/en/developers/docs/security/
10. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 10/11
2.6 OpenerRealFevr – Massive Buys on buyPack - Low
The buyPack function on OpenerRealFevr is implemented without protection
against automated buys. Although RealFevr DApp enforces rate limiting,
automation is still possible by interacting with the Smart Contract, which can cause
a degradation of service on both Smart Contract and Frontend.
Recommendations:
• Implementation of an on-chain control against automated buys for the
buyPack Function, for instance, through the implementation of address time
lock mechanisms.
References:
• https://ethereum.org/en/developers/docs/security/
11. CONNOR DALY SEC
INDEPENDENT CONSULTING
RealFevr Report 11/11
2.7 RealFevr DApp Infrastructure – DApp centralization - Low
The RealFevr DApp is mainly deployed in a centralized way. In the event of an
outage affecting whether self-hosted or AWS-hosted servers, RealFevr DApp may
become unavailable. Thus, would not be possible to access at least NFT contents
(see Vulnerability 2.4).
Recommendations:
• Configure alternative decentralized domains such as ENS.
• Deploy RealFevr DApp pages in a decentralized way. IPFS usage is
recommended.
References:
• https://ethereum.org/en/developers/docs/security/
• https://ens.domains/
• https://unstoppabledomains.com/
• https://ipfs.io/