SMART CONTRACT SECURITY AUDIT FOR LIQUIDACCESS
We are happy to say that we’ve finished a smart contract security audit for LiquidAccess, the protocol for advanced operations with NFTs.
ABOUT THE PROJECT
During the audit, we examined the security of smart contracts for the LiquidAccess protocol. Our task was to find and describe any security issues in the smart contracts of the platform. The scope of the project included LiquidAccess set of contracts – LiquidAccess.sol.
LiquidAccess.sol is an NFT contract that implements ERC721 NFT standard, ERC2981 royalty standard, and ERC4906 Metadata Update Extension. During the deployment of the contract, the token’s name, symbol, merchant, and merchant ID are set in the storage.
The minting flow of the contract contains the safeMint() function, which can be executed only by the owner of the contract. During the minting, the owner can specify the receiver, a subscription type, and the expiration of the token.
There are also some setters that allow the owner to change the subscription type and the expiration of the existing tokens. Also, the contract contains additional setters, which allows the owner to set the following information about the contract: royalty, lockup period, users and NFTs blacklist, NFT and contract’s name, description, image.
The main task of the Blaize.Security team was to find and describe any security issues in the smart contracts of the platform.
We needed to check the LiquidAccess smart contracts according to the following parameters:
Whether the contract is secure;
Whether the contract corresponds to the documentation;
Whether the contract meets best practices in the efficient use of gas, code readability.
Thus, the contracts were checked against the following set of commonly known and more specific vulnerabilities during the LiquidAccess code audit:
Unsafe type inference;
Implicit visibility level;
Gas Limit and Loops;
Unchecked external call – Unchecked math;
DoS with Block Gas Limit;
DoS with (unexpected) Throw;
Byte array vulnerabilities;
Style guide violation;
ERC20 API violation;
Uninitialized state/storage/ local variables;
Compile version not fixed.
Also, the LiquidAccess NFT set of contracts was checked against the less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
AUTOMATED TOOLS ANALYSIS
The automated part of the analysis was performed with several publicly available tools such as Mythril, Solhint, Slither, and Smartdec. Besides, the team conducted manual verification of all the issues found with these tools.
MANUAL CODE REVIEW
The auditors used manual analysis to search for security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.
UNIT TEST COVERAGE
The scope of the audit included the unit test coverage that was based on the smart contracts code, documentation, and requirements presented by the LiquidAccess team. The coverage was calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies.
SECURITY ANALYSIS REPORT
In the end, we have provided LiquidAccess with a full smart contract security analysis report. The document contains all the detected risks, issues, and vulnerabilities, and the possible ways of their mitigation and security improvements.
FIND OUT MORE ABOUT BLAIZE SECURITY SERVICES AND SMART CONTRACT AUDIT PROCEDURE.
According to the assessment, the LiquidAccess smart contracts have no critical security problems, the overall quality of the code is high, and the functionality is well-documented and optimized. Most of the issues were fixed by the LiquidAccess team.
However, in order to ensure high security of the contract, the Blaize.Security team suggests the LiquidAccess team launch a bug bounty program to encourage further active analysis of the smart contracts.
According to the rules listed above, the overall security of the LiquidAccess smart contracts can be evaluated as Highly Secure, 9.6 out of 10.
You can see the full list of the detected vulnerabilities and the recommendations of the Blaize.Security team in these documents:LiquidAccess-NFT-audit-report_compressed
Our cooperation with LiquidAccess wasn’t finished. The Blaize.Security team recently provided a new audit of the LiquidAccess NFT set of contracts. This time the security score was an incredible 9.9 out of 10 points! So, read the report below:LiquidAccess-NFT-audit-report-1