SMART CONTRACT SECURITY AUDIT FOR NEMUS
Nemus acquires at-risk land in the rainforest of the Amazon and creates a series of collectible NFTs on the Ethereum network, each tied to unique geolocation within the land. A portion of sales from NFTs pays for operations and the purchase of the land, while the remaining proceeds are stored in the Nemus Treasury. With the help of the Nemus DAO, the Treasury then funds economic and social activity on the land.
ABOUT THE PROJECT
In this project, we consider the security of the contracts for the Nemus protocol. Our task was to find and describe security issues in the Nemus set of contracts: AbstractMintVoucherFactory and NeaMintTicketFactory. The scope of the audit included the unit test coverage that is based on the smart contracts code, documentation, and requirements presented by the Nemus team.
The Blaize team’s task was to check the contracts for these main requirements:
- Whether the contract is secure;
- Whether the contract corresponds to the documentation;
- Whether the contract meets best practices in efficient use of gas, code readability.
That’s why we have scanned the Nemus smart contracts for commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependance;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependance;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC-20 API violation;
- Uninitialized state/storage/
- local variables;
- Compile version not fixed.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has a prescribed security audit procedure. It consists of the following steps:
- Check for code consistency whether the contract corresponds to the documentation;
- Checks against the standard list of vulnerabilities we have mentioned above;
- Static analysis by automated tools;
- Manual code analysis and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Creation of a custom set of unit-tests for the full coverage;
- Security analysis report delivery;
- Post-audit fixes review.
AUTOMATED TOOLS ANALYSIS
Nemus smart contracts automated analysis was provided with a scanning contract by several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec.
MANUAL CODE REVIEW
For the Nemus audit, the Blaize team performed the manual analysis of smart contracts for security vulnerabilities. We also checked smart contract logic and compared it with the one described in the documentation.
SECURITY ANALYSIS REPORT
At the end of every audit, the Blaize team provides a detailed smart contracts security analysis report. For Nemus, we also prepared the document with all detected risks and the possible variants of their mitigation, issues, vulnerabilities details, and recommendations for their improvements.
GET TO KNOW MORE ABOUT OUR BLAIZE SECURITY SERVICES
After the security audit of the Nemus smart contracts, the Blaize team found several issues which did not allow correct NFT minting for most user’s scenarios. Also, several issues from the standard auditors list were found. For now, the team has fixed all these issues.
All other issues were connected to missed checks, which may block the contract, and code quality. Nevertheless, all security risk issues were fixed by the team.
The overall security of Nemus smart contracts can be evaluated as secure, it performs all desired actions and has solid functionality.
Regarding the audit, the security of Nemus set of contracts can be evaluated as Highly Secure, 9.75 out of 10.
Check the list of found vulnerabilities and recommendations about their improvements in this report:Nemus-smart-contract-audit-3_compressed
Our cooperation with Nemus wasn’t finished after this audit. Blaize’s team recently provided a new audit of the Nemus NFT smart contracts. Read the report below:Nemus_2_NFT_smart_contract_audit