SMART CONTRACT SECURITY AUDIT FOR CRYPTO COLLECTIVE
Crypto Collective is an online community located primarily on Discord where its members connect & discuss topics relating to cryptocurrency and NFTs. The general community is free to access on Discord and two additional tiers are available to unlock for members who hold one of Crypto Collective’s NFTs.
The two NFTs available upon launch (“Inner Circle” NFT and “The Collective” NFT) are minted or acquired through an ERC-1155 smart contract. The current intended maximum supply is 150 for the Inner Circle NFT and 1500 for The Collective NFT.
The initial minting process for the two NFTs is a transition from Solana to Ethereum for current holders of a previously used Solana-based NFT and will be a fully whitelisted free mint (not including gas) on the new Ethereum ERC-1155 contract. Future mints are expected to open for a set price until the intended maximum supply is reached for both NFTs.
The main token features are to provide heightened access to the Crypto Collective Discord server for token holders by the means of additional roles granted through a Discord verification bot.
ABOUT THE PROJECT
Blaize has performed the security audit of the contracts for the Crypto Collective protocol. The task was to find and describe security issues in the smart contracts of the platform. The scope of the project is the Crypto Collective NFT set of contracts. The Blaize team of auditors had made the unit test coverage, based on the smart contracts code, documentation, and requirements presented by the customer. Coverage was calculated based on the set of Truffle framework tests and scripts from additional testing strategies.
Blaize’s task was to find and describe security issues in the smart contracts of the platform.
We needed to check the Crypto Collective NFT smart contracts with the following parameters:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract meets best practices in efficient use of gas, code readability.
So contracts were checked against the following set of commonly known and more specific vulnerabilities during the Crypto Collective code audit:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/
- local variables;
- Compile version not fixed.
In addition, Crypto Collective NFT smart contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Check for code consistency whether the contract corresponds to the documentation;
- Checks against the standard list of vulnerabilities we have mentioned above;
- Static analysis by automated tools;
- Manual code analysis and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Creation of own set of unit-tests for the full coverage;
- Security analysis report delivery;
- Post-audit fixes review.
AUTOMATED TOOLS ANALYSIS
Automated code analysis implies using different open-source software for bug detection. In the case of the Crypto Collective smart contract audit, Blaize’s team scanned contracts by several automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. We often conduct several testing processes in parallel to ensure the best bug verification.
Automate testing helped to define which part is responsible for each input execution and showed the possible places for bugs occurring. The automated analysis was followed by the manual verification of all the issues found with the tools.
MANUAL CODE REVIEW
The manual code analysis for the Crypto Collective protocol implies a thorough examination of each code line by an auditor. Manual testing is needed to analyze the previously found vulnerabilities and check the operational work of smart contracts in general.
Manual code examination is highly recommended for an exploratory check of vulnerabilities hidden not in the code itself, but in contract logic or architecture. This type of verification is based on auditor expertise and experience with complex smart contracts systems.
In the case of the Crypto Collective audit, Blaize’s team performed the manual analysis of smart contracts for security vulnerabilities and also checked smart contract logic, and compared it with the one described in the documentation.
UNIT TEST COVERAGE
As part of the Crypto Collective audit process, the team of auditors has checked and verified existing native unit-test coverage. It was verified to be sufficient for security purposes and contains all necessary tests to cover the business logic of the Crypto Collective NFT contract.
The Blaize team has provided extra testing to check that it is not possible to mint more NFTs than allowed by the signer in one round (especially with the same signed message).
SECURITY ANALYSIS REPORT
In the end, we have provided Crypto Collective with smart contracts’ security analysis report. The document contains all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.
FIND OUT MORE ABOUT OUR BLAIZE SECURITY SERVICES.
According to the assessment, the Crypto Collective NFT’s smart contracts have no critical security problems and overall quality of the code is high and the functionality is well-documented and optimized. The contract represents the upgradeable NFT (corresponding to ERC721 and ERC1155 standards) with a custom minting mechanism, which relies on several rounds and verified signatures. Contracts have good native coverage which was checked within the scope of the audit. Nevertheless, the security team has prepared their own set of tests.
All unclear or suspicious functionality was verified with the Crypto Collective team and resolved.
Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Crypto Collective can be evaluated as Highly Secure, 9.9 out of 10.
See the full list of found vulnerabilities and recommendations about their improvements in this document:Crypto-Collective-smart-contract-audit