SMART CONTRACT SECURITY AUDIT FOR CRYPTOBEAR WATCH CLUB
CryptoBear Watch Club is a platform that has a collection of 10,000 NFTs. All CryptoBear NFTs are stored as ERC-721 tokens on the Ethereum Blockchain and hosted on IPFS. In order to access members-only areas, CryptoBear watch holders must sign into their Metamask Wallet.
ABOUT THE PROJECT
In this case, the Blaize team considers the security of the contracts for CryptoBear protocol. The task was to find and describe security issues in the smart contracts of the platform. The scope of the project is a CryptoBear set of CryptoBearWatchClub and Arkouda contracts. The audit included the unit test coverage, based on the smart contracts code, documentation, and requirements presented by the CryptoBear team. Coverage was calculated based on the set of Truffle framework tests and scripts from additional testing strategies.
Blaize’s task was to check the contracts for the following parameters:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract meets best practices in efficient use of gas, code readability.
Thus we have scanned these smart contracts for commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC-20 API violation;
- Uninitialized state/storage/
- local variables;
- Compile version not fixed.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Check for code consistency whether the contract corresponds to the documentation;
- Checks against the standard list of vulnerabilities we have mentioned above;
- Static analysis by automated tools;
- Manual code analysis and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Creation of own set of unit-tests for the full coverage;
- Security analysis report delivery;
- Post-audit fixes review.
AUTOMATED TOOLS ANALYSIS
The automated analysis for CryptoBear contained a scanning contract by several public available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec.
MANUAL CODE REVIEW
Manual testing is a process of reading source code line-by-line in an attempt to identify potential vulnerabilities and check the operational work of smart contracts in general.
This is highly recommended for an exploratory check of vulnerabilities hidden not in the code itself, but in contract logic or architecture.
In the case of the CryptoBear audit, Blaize’s team performed the manual analysis of smart contracts for security vulnerabilities and also checked smart contract logic and compared it with the one described in the documentation.
SECURITY ANALYSIS REPORT
In the end of the audit, we have provided to CryptoBear a smart contracts’ security analysis report. The document contains all founded risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.
YOU CAN FIND OUT MORE ABOUT OUR BLAIZE SECURITY SERVICES HERE.
According to the audit, the CryptoBear smart contracts contained only one critical issue connected to the incorrect funds flow – it allowed users to claim rewards regardless contract rules. Yet, the team has already fixed this issue.
All other issues were connected to missed checks, which may block the contract, and code quality. Nevertheless, all security risk issues were fixed by the team.
The overall security of CryptoBear smart contract can be evaluated as secure, it performs all desired actions and has solid functionality.
However, the code lacks of readability and the overall code quality may be increased.
In this regard, the security of the smart-contracts system of CryptoBear Watch Club can be evaluated as Highly Secure, 9.8 out of 10.
See the full list of found vulnerabilities and recommendations about their improvements in this report:CryptoBear_Smart_Contract_Audit