SMART CONTRACT SECURITY AUDIT FOR TITLE DEEDS CEX BY VIEWPOINT LABS
Viewpoint Labs specializes in consumer products with a focus on web3 and entertainment. They build applications with outstanding user experience simplifying mass adoption of new technologies to 200+ millions of users worldwide.
In this case we consider the smart contract security audit of Title Deeds CEX protocol that was powered by the Viewpoint Labs team. This is the second audit of this protocol. The first time was the audit of core contract TitleDeeds.sol.
ABOUT THE PROJECT
Our task was to find and describe security issues in the smart contracts of the platform. Blaize Security reviewed the whole set of contracts within the scope provided by the Viewpoint Labs team. The protocol allows users to redeem their Title Deeds NFTs in the Ethereum network and receive Parcel and Blueprint NFTs in the BNB Chain network.
The protocol also contains custom ERC721 and ERC1155, which extend a basic NFT functionality with role management, minting, royalty, metadata update notifications, and batchable retrieving of info about NFTs. The Blaize Security team also reviewed all of these implementations.
We were assigned to detect and describe security issues in the smart contract set of the Title Deeds CEX protocol.
We needed to check the smart contracts with the following parameters:
Whether the contract is secure;
Whether the contract corresponds to the documentation;
Whether the contract meets best practices in terms of the efficient use of gas and code readability.
We have scanned this smart contract for commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/ local variables;
- Compile version not fixed.
In addition, Title Deeds CEX protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
See our recent smart contract audit case here: Smart Contract Security Audit for Bluelight.
AUTOMATED TOOLS ANALYSIS
The team has checked the contract with the help of several publicly available automated analysis tools, such as Mythril, Solhint, Slither, and Smartdec. Also, we have done manual verification of all the issues detected by automated tools.
MANUAL CODE REVIEW
During the manual audit, the Blaize Security team analyzed contracts against the list of common vulnerabilities and internal checklists, checked the correspondence to the Solidity best practices (including code style and gas optimization), and validated the correspondence of the business logic of the protocol to the described one.
UNIT TEST COVERAGE
The scope of the audit includes the unit test coverage that bases on the smart contracts code, documentation, and requirements presented by the Viewpoint Labs team. Coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. Though, in order to ensure a security of the contract Blaize.Security team recommends the Viewpoint Labs team implement a bug bounty program to encourage further and active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
In the end, we have provided to the Viewpoint Labs team a smart contract security analysis report. The document contains all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.
NEED A SMART CONTRACT AUDIT TOO? CHECK ALL BLAIZE SECURITY SERVICES.
The Blaize.Security team found one medium-risk, one low-risk, and a few lowest-severity issues during the audit, and the Viewpoint Labs team successfully fixed all of them.
The overall security of smart contracts is high enough. Contracts are well-written and tested: Viewpoint Labs team prepared a solid unit test coverage. Nevertheless, the Blaize Security team prepared its own tests, including additional scenarios to validate the exchange process.
Thus, according to the rules listed above, the level of overall Title Deeds CEX protocol security can be evaluated as Highly Secure, 9.7 out of 10.
The audit document with the full list of identified vulnerabilities and recommendations for their improvements can be found below:ViewPoint-audit-report