Blaize
Contact us
  • Home
  • Services
    • Back
    • Blockchain ecosystems
    • Decentralized application
    • Smart contracts
    • Developer tools
    • Enterprise solutions
    • Blockchain integration
    • NFT Development Services
    • NFT Marketplace Development
    • GameFi Development
    • Token Development Services
  • Blaize.Security
  • Solutions
    • Back
    • Blockchain Consulting Services
    • For enterprises
  • Team
  • Cases
  • Blog
  • Careers
  • fb
  • LinkedIn
  • Twitter
info@blaize.tech +38 095 53 72 031

Kyiv, Ukraine

26 Metalistiv St

Dnipro, Ukraine 20

Sichovykh Striltsiv St

SMART CONTRACT SECURITY AUDIT FOR CUPCAKE – NFT APP

3 weeks

Share:

Share on FacebookShare on TwitterShare on TelegramShare on WhatsApp

The NFT app Cupcake simplifies the complex technical restrictions and lengthy setup processes typical for acquiring NFTs for the first time and eliminates gas fees for users. 

With Cupcake, users create a digital asset wallet and mint their first NFT in under one minute via encrypted near-field communication technology (NFC) on mobile devices through Sprinkles, Cupcake’s secure NFC tags, which are paired with smart contracts.

Cupcake partnered with ROVE and Tommy Hilfiger to create Tommy Factory NFTs during the 2022 New York Fashion Week. These NFTs were claimed live at the event by guests on their phones in under a minute using the Cupcake protocol.

ABOUT THE PROJECT 

During the audit, we inspected the security of the smart contracts of the Cupcake protocol. Our task was to find and describe any security issues in the smart contracts of the platform. 

The protocol consists of 4 contracts:

  • CandyMachine.sol – an ERC1155 smart contract with a custom minting functionality based on the Chainlink VRF Oracle in order to randomly choose the URI of the minted token.
  • CandyMachineFactory.sol – a factory contract designed for deploying new instances of CandyMachine contracts.
  • RentableWrapper.sol – an ERC721 smart contract designed to wrap the existing external NFTs to extend their interface with the EIP-4907 user interface.
  • Contract.sol – a contract designed for the distribution of ERC20, ERC721, and ERC1155 assets in different modes, which are called tag types.

The main objectives of the audit were to analyze the listed smart contracts in terms of well-known security vulnerabilities, check the contracts against the Blaize.Security internal vulnerabilities checklist, validate the security of users’ funds, the safety of ERC721 implementation (including transfer and mint operations), check that contracts correspond to industry best practises in terms of code quality and gas optimization. 

MAIN REQUIREMENTS

The main task of the Blaize team was to detect and describe any security issues in the smart contracts of the platform.

We needed to check the Cupcake smart contracts according to the following parameters:

  • Whether the contract is secure; 
  • Whether the contract corresponds to the documentation; 
  • Whether the contract follows industry best practices in terms of the efficient use of gas and code readability.

We have scanned this smart contract for all commonly known and more specific vulnerabilities:

  • Unsafe type inference; 
  • Timestamp Dependence; 
  • Reentrancy; 
  • Implicit visibility level; 
  • Gas Limit and Loops; 
  • Transaction-Ordering Dependence; 
  • Unchecked external call – Unchecked math;
  • DoS with Block Gas Limit; 
  • DoS with (unexpected) Throw; 
  • Byte array vulnerabilities; 
  • Malicious libraries; 
  • Style guide violations; 
  • ERC20 API violations; 
  • Uninitialized state/storage/
 local variables; 
  • Compile version not fixed.

In addition, Cupcake smart contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

SMART CONTRACT SECURITY AUDIT PROCEDURE

Blaize.Security has an established security audit procedure. It includes the following steps: 

  1. Manual code review;
  2. Static analysis by automated tools;
  3. Business logic review;
  4. Unit test coverage check;
  5. Extensive integration testing;
  6. Fuzzy and exploratory testing;
  7. Providing detailed report of the detected issues;
  8. Verification of fixes;
  9. Final audit report preparation & publishing.

You can find out more about Smart Contract Security Audit procedure or take a look at the recently described LiquidAccess Smart Contract Audit. 

AUTOMATED TOOLS ANALYSIS 

Scanning the contract by several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. Manual verification of all the issues detected with these tools.

MANUAL CODE REVIEW 

Manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.

UNIT TEST COVERAGE

The scope of the audit includes unit test coverage based on the smart contracts code, documentation, and requirements presented by the Cupcake team. The coverage is calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies.

However, in order to ensure full security of the contract, the Blaize.Security team suggests the Cupcake team launch a bug bounty program to encourage further active analysis of the smart contracts.

SECURITY ANALYSIS REPORT

Finally, we have provided the Cupcake team with smart contracts’ security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for the fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the Cupcake team.

READ MORE ABOUT THE BLAIZE SECURITY DEPARTMENT AND ALL OUR SERVICES. 

AUDIT RESULTS

The team of auditors have detected 2 critical, 1 high, and 3 medium-severity issues in the contracts, as well as several low and informational ones.

One of the critical issues was connected with the generation of random numbers on-chain. This issue was successfully fixed by the Cupcake team by integrating the Chainlink VRF Oracle. 

Another critical issue was connected with the possible deletion of information about a wrapped asset in RentableWrapper.sol. The issue was fixed as well by only deleting specific information about the NFT instead of all the data.

The overall security of the smart contracts is high enough to be deployed and used by the wider audience. The contracts are well-written and have good natspec documentation.

Therefore, according to the rules listed above, the overall security of the Cupcake smart-contract system can be evaluated as Highly Secure, 9.6 out of 10.

See the full list of the detected vulnerabilities and our recommendations on how to fix them in this document:

Cupcake-audit-report

Service

  • Security audit

Blockchain

  • Ethereum

Project stage

Security audit

Other cases

DEFI ASSET MANAGEMENT PLATFORM DEVELOPMENT FOR DEHIVE

Service

  • Blockchain based platforms
  • DeFi applications
  • Token emission and distribution

Blockchain

  • BNB Chain
  • Ethereum
  • Gnosis chain
  • Polygon
8 months
STAKING SYSTEM DEVELOPMENT FOR THE DEFI SECURITY PLATFORM HACKLESS

Service

  • Blockchain based platforms
  • DeFi applications
  • Smart contracts
  • Token emission and distribution

Blockchain

  • BNB Chain
4 weeks
SMART CONTRACT SECURITY AUDIT FOR CRYPTO COLLECTIVE

Service

  • Security audit

Blockchain

  • Ethereum
1 day
SMART CONTRACT SECURITY AUDIT FOR RAINBOW BRIDGE BY AURORA

Service

  • Security audit

Blockchain

  • Ethereum
  • NEAR
7 weeks
SMART CONTRACT SECURITY AUDIT FOR 1INCH

Service

  • Security audit

Blockchain

  • Ethereum
2 weeks
SOULBOUND TOKEN MVP DEVELOPMENT FOR PROJECT – SOUL SEARCH

Service

  • NFT development
  • Smart contracts
  • Token development

Blockchain

  • Polygon
3 weeks
FANTASY BASKETBALL APP DEVELOPMENT: NOMO FANTASY BASKETBALL LEAGUE CASE STUDY

Service

  • Blockchain based platforms
  • Crypto games
  • GameFi
  • Smart contracts
  • Staking platforms
  • Token emission and distribution

Blockchain

  • Polygon
3 months
SMART CONTRACT SECURITY AUDIT FOR CRYPTOBEAR WATCH CLUB

Service

  • Security audit

Blockchain

  • Ethereum
1 week
Blaize

Address

Kyiv, Ukraine26 Metalistiv St
Dnipro, Ukraine20 Sichovykh Striltsiv St

Contact us

  • Tel.: +34 624 45 15 40
  • E-mail: info@blaize.tech

Menu

  • Home
  • Cases
  • Blog
  • Careers

Socials

  • Facebook
  • Twitter
  • LinkedIn
  • twitter
  • facebook
  • linkedin

Services

  • Blockchain ecosystems
  • Decentralized application
  • Smart contracts
  • Developer tools
  • Enterprise solutions
  • Blockchain integration
  • Smart contract audit
  • NFT development services
  • NFT marketplace
  • GameFi development
  • Token development
  • Blaize.Security

Solutions

  • For Startaps
  • For Enterprises

Subscribe news







    Popular Topics

    • 6 platforms for dApp development in 2023
    • How to do a smart contract audit
    • Tokenomics for crypto games
    • Smart contracts vulnerabilities
    • Launch an ICO, STO, and IEO in 2023
    • Create a stablecoin on Ethereum
    • Top 7 DeFi exploits&hacks in 2022
    top blockchain developers
    techreviewer
    GoodFirms Badge

    Copyright © Blaize - blockchain development company 2018-2023

    B2B inbound marketing with