SMART CONTRACT SECURITY AUDIT FOR CUPCAKE – NFT APP
The NFT app Cupcake simplifies the complex technical restrictions and lengthy setup processes typical for acquiring NFTs for the first time and eliminates gas fees for users.
With Cupcake, users create a digital asset wallet and mint their first NFT in under one minute via encrypted near-field communication technology (NFC) on mobile devices through Sprinkles, Cupcake’s secure NFC tags, which are paired with smart contracts.
Cupcake partnered with ROVE and Tommy Hilfiger to create Tommy Factory NFTs during the 2022 New York Fashion Week. These NFTs were claimed live at the event by guests on their phones in under a minute using the Cupcake protocol.
ABOUT THE PROJECT
During the audit, we inspected the security of the smart contracts of the Cupcake protocol. Our task was to find and describe any security issues in the smart contracts of the platform.
The protocol consists of 4 contracts:
- CandyMachine.sol – an ERC1155 smart contract with a custom minting functionality based on the Chainlink VRF Oracle in order to randomly choose the URI of the minted token.
- CandyMachineFactory.sol – a factory contract designed for deploying new instances of CandyMachine contracts.
- RentableWrapper.sol – an ERC721 smart contract designed to wrap the existing external NFTs to extend their interface with the EIP-4907 user interface.
- Contract.sol – a contract designed for the distribution of ERC20, ERC721, and ERC1155 assets in different modes, which are called tag types.
The main objectives of the audit were to analyze the listed smart contracts in terms of well-known security vulnerabilities, check the contracts against the Blaize.Security internal vulnerabilities checklist, validate the security of users’ funds, the safety of ERC721 implementation (including transfer and mint operations), check that contracts correspond to industry best practises in terms of code quality and gas optimization.
The main task of the Blaize team was to detect and describe any security issues in the smart contracts of the platform.
We needed to check the Cupcake smart contracts according to the following parameters:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract follows industry best practices in terms of the efficient use of gas and code readability.
We have scanned this smart contract for all commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violations;
- ERC20 API violations;
- Uninitialized state/storage/ local variables;
- Compile version not fixed.
In addition, Cupcake smart contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing detailed report of the detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
You can find out more about Smart Contract Security Audit procedure or take a look at the recently described LiquidAccess Smart Contract Audit.
AUTOMATED TOOLS ANALYSIS
Scanning the contract by several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. Manual verification of all the issues detected with these tools.
MANUAL CODE REVIEW
Manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
The scope of the audit includes unit test coverage based on the smart contracts code, documentation, and requirements presented by the Cupcake team. The coverage is calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies.
However, in order to ensure full security of the contract, the Blaize.Security team suggests the Cupcake team launch a bug bounty program to encourage further active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
Finally, we have provided the Cupcake team with smart contracts’ security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for the fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the Cupcake team.
READ MORE ABOUT THE BLAIZE SECURITY DEPARTMENT AND ALL OUR SERVICES.
The team of auditors have detected 2 critical, 1 high, and 3 medium-severity issues in the contracts, as well as several low and informational ones.
One of the critical issues was connected with the generation of random numbers on-chain. This issue was successfully fixed by the Cupcake team by integrating the Chainlink VRF Oracle.
Another critical issue was connected with the possible deletion of information about a wrapped asset in RentableWrapper.sol. The issue was fixed as well by only deleting specific information about the NFT instead of all the data.
The overall security of the smart contracts is high enough to be deployed and used by the wider audience. The contracts are well-written and have good natspec documentation.
Therefore, according to the rules listed above, the overall security of the Cupcake smart-contract system can be evaluated as Highly Secure, 9.6 out of 10.
See the full list of the detected vulnerabilities and our recommendations on how to fix them in this document:Cupcake-audit-report