SMART CONTRACT SECURITY AUDIT FOR BLUELIGHT – Kale Bridge
Bluelight is an economic strategy game about building your startups in a multiverse. Bluelight has a strong foundation. The product team behind Bluelight has founded the award-winning private web3 browser Aloha, with millions of users worldwide. The development partner, Dragons Lake, a development studio that worked on various AAA titles for Epic, Sony, and Nintendo. Finally, the lore comes from the Take My Muffin animation series by Toonbox, and the game will be featured in almost every episode.
ABOUT THE PROJECT
Our task was to find and describe any security issues in the smart contracts of Kale Bridge. This is the project developed by the Bluelight team. During the audit, Blaize.Security has audited the whole set of smart contracts within three folders. The protocol consists of a Kale BNB ERC20 token, a set of the Bridge smart contracts, and a set of smart contracts necessary for the user and token registry.
The goal of the audit was to analyze the security level of the smart contracts against the list of common vulnerabilities and auditors’ own checklist, ensure that Solidity best practices in terms of code quality and gas optimization are applied, verify the security of users’ funds and the security of Bridge implementation.
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the Kale Bridge smart contracts with the following parameters:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract meets best practices in efficient use of gas and code readability.
We have scanned this smart contract for commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/ local variables;
- Compile version not fixed.
In addition, Kale Bridge contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
Read more about the Smart Contract Security Audit procedure or look at the recently described CupCake Smart Contract Audit here.
AUTOMATED TOOLS ANALYSIS
The auditors scanned the contract with several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. Manual verification of all the issues detected with these tools.
MANUAL CODE REVIEW
The Blaize.Security team made a manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
The scope of the audit includes the unit test coverage, which is based on the smart contracts code, documentation, and requirements presented by the Bluelight team. The coverage is calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies. However, in order to ensure full security of the contract, the Blaize.Security team suggests the Bluelight team launch a bug bounty program to encourage further active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
Finally, we have provided the Bluelight team with smart contracts security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the Bluelight team.
FIND OUT MORE ABOUT THE BLAIZE SECURITY DEPARTMENT AND PROVIDING SERVICES.
The Blaize.Security team detected two high, several low, and lowest issues seen during the manual part of the audit. High-severity issues were connected to the ability of the owner to withdraw tokens from the Bridge smart contract and the ability of the signer to claim tokens in any quantity and to any receiver. Both issues were successfully resolved by the Bluelight team. To solve the first issue, the team restrained the owner from withdrawing Bridge tokens, and in order to refund users, a refund system was implemented.
For the second issue, a system of multiple signers was implemented. So that a certain number of signatures must be provided by the signers to process claiming. Though the protocol still can work with a single signer, which is why it is the Bluelight team’s responsibility to keep a sufficient number of signers in the protocol. Also, a single admin can still claim tokens to any address using the claim function.
Other issues were connected to the lack of variables’ validation, clarification of the business logic of the protocol, and other minor things. Most of them were successfully fixed by the Bluelight team as well. It should also be mentioned that the BNBKale.sol is an upgradable smart contract, which means that the owner of the protocol can update its logic at any time. All the issues can be seen in the Complete analysis section.
The overall security of the protocol is high enough. Smart contracts are well-written and contain detailed Natspec documentation.
Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Kale Bridge can be evaluated as Highly Secure, 9.8 out of 10.
See the complete list of found vulnerabilities and recommendations about their improvements in this document:Kale-Bridge-audit-report