Blaize
Contact us
  • Home
  • Services
    • Back
    • Blockchain ecosystems
    • Decentralized application
    • Smart contracts
    • Developer tools
    • Enterprise solutions
    • Blockchain integration
    • NFT Development Services
    • NFT Marketplace Development
    • GameFi Development
    • Token Development Services
  • Blaize.Security
  • Solutions
    • Back
    • Blockchain Consulting Services
    • For enterprises
  • Team
  • Cases
  • Blog
  • Careers
  • Vacancies
  • fb
  • LinkedIn
  • Twitter
info@blaize.tech +38 095 53 72 031

Kyiv, Ukraine

26 Metalistiv St

Dnipro, Ukraine 20

Sichovykh Striltsiv St

SMART CONTRACT SECURITY AUDIT FOR TOKENDEAL – Protocol For NFT Sales

1 day

Share:

Share on FacebookShare on TwitterShare on TelegramShare on WhatsApp

TokenDeal is a protocol for NFT sales. The contract represents the main sale phases: funds collection during purchase, purchased NFT mint after the sale, and collected funds withdrawal.

ABOUT THE PROJECT 

The audited set of contracts represents the protocol for the NFT sale. It handles funds collection, NFT minting, and distribution of funds between the manager and the owner.

Here are the main parts of TokenDeal NFT sale flow:

1. Funds collection 

2. NFT mint 

3. Funds withdrawal 

4. Global refund 

TokenDeal NFT Sale Flow
TokenDeal NFT Sale Flow

The auditor’s team checked the contract against common vulnerabilities and its own security checklist, checked the funds flow, user operations, correct roles assignment, and the overall business logic (in search of loopholes, backdoors, and potential disruptions of the contract workflow).

Also, the team performed several testing rounds against the whole NFT sale process.

MAIN REQUIREMENTS

Blaize’s task was to find and describe security issues in the smart contracts of the platform.

We needed to check the TokenDeal protocol with the following parameters:

  • Whether contracts are secure on both sides of the bridge; 
  • Whether the implemented functionality corresponds to the documentation; 
  • Whether contracts meet best practices in efficient use of gas and code readability.
  • Whether the bridge flow is safe for users.

We have scanned both sets of smart contracts for commonly known and more specific vulnerabilities:

  • Unsafe types conversion and unsafe math; 
  • Timestamp Dependence; 
  • Reentrancy (for Solidity part); 
  • Correct roles distribution and access control flow; 
  • Gas Limit and Loops; 
  • Transaction-Ordering Dependence; 
  • DoS attacks with (Gas Limit, unexpected reverts, storage abuse, etc.); 
  • Byte array vulnerabilities; 
  • Style guide violation; 
  • ERC20 standard correspondence and correct tokens usage; 
  • Uninitialized state/storage/ local variables; 

Also, the TokenDeal protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

SMART CONTRACT SECURITY AUDIT PROCEDURE

Blaize.Security has an established security audit procedure. It includes the following steps: 

  1. Manual code review;
  2. Static analysis by automated tools;
  3. Business logic review and decomposition of the system;
  4. Unit test coverage check;
  5. Extensive integration testing;
  6. Fuzzy and exploratory testing;
  7. Providing a detailed report of detected issues;
  8. Verification of fixes;
  9. Final audit report preparation & publishing.

Read more about DeFi Hacks in 2022 or look at the recently described Rainbow Bridge Smart Contract Audit. 

AUTOMATED TOOLS ANALYSIS 

The auditors scanned the contract with several publicly available automated analysis tools with the manual verification of all the issues detected with these tools.

MANUAL CODE REVIEW 

The Blaize.Security team made a manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.

SECURITY ANALYSIS REPORT

Finally, we have provided to the TokenDeal team the smart contracts security analysis report. Besides, the report contains the confirmation of fixes and necessary explanations from the TokenDeal team.

READ ABOUT THE BLAIZE SECURITY SERVICES AND REQUEST FREE AUDIT ESTIMATION

AUDIT RESULT

The audit found no critical issues. But the team has prepared a description and recommendation for the row of low-risk issues, including best practices violations, accuracy loss, and several questions connected to the business logic of the protocol. There were several unclear edgecases for the refund operations, NFT minting, and lock time for the contract. Though, the TokenDeal team resolved or verified all the issues.

Also, the Blaize Security team needs to notice that the contract depends on 3rd party contract – the actual NFT which will be sold. For now, the NFT contract is not written; therefore, there is no way to check the whole process of future NFT minting. Nevertheless, the TokenDeal team prepared the interface for the future NFT, compatible with the sale logic.

Contracts are well documented with Natspec comments and have good gas optimization. Despite current recommendations for additional checks for the lock change and token address during the minting, the overall security is high enough to comply with the security standard.

Therefore, according to the above-listed rules, the overall security of the smart-contracts system of TokenDeal protocol can be evaluated as Highly Secure, 9.9 out of 10!

See the complete list of found vulnerabilities and recommendations about their improvements in this document:

TokenDeal-Audit-report-1

Service

  • Security audit

Blockchain

  • Ethereum

Project stage

Security audit

Other cases

SMART CONTRACT SECURITY AUDIT FOR LIQUIDACCESS

Service

  • Security audit

Blockchain

  • Ethereum
1 week
SMART CONTRACT SECURITY AUDIT FOR SYNTHEX

Service

  • Security audit

Blockchain

  • Arbitrum
3 weeks
SMART CONTRACT SECURITY AUDIT FOR BINARYX

Service

  • Security audit

Blockchain

  • Polygon
3 weeks
SMART CONTRACT SECURITY AUDIT FOR CUPCAKE – NFT APP

Service

  • Security audit

Blockchain

  • Ethereum
3 weeks
SMART CONTRACT SECURITY AUDIT FOR CRYPTO COLLECTIVE

Service

  • Security audit

Blockchain

  • Ethereum
1 day
THE SECOND SMART CONTRACT SECURITY AUDIT FOR EVERSTAKE

Service

  • Security audit

Blockchain

  • Ethereum
1 week
SMART CONTRACT SECURITY AUDIT FOR 1INCH

Service

  • Security audit

Blockchain

  • Ethereum
2 weeks
DECENTRALIZED APP DEVELOPMENT FOR THE CRYPTO GAME

Service

  • Blockchain based platforms
  • Crypto games
  • Smart contracts
  • Staking platforms
  • Token emission and distribution

Blockchain

  • Ethereum
  • Polygon
6 months
Blaize

Address

Kyiv, Ukraine
26 Metalistiv St
Dnipro, Ukraine
20 Sichovykh Striltsiv St

Contact us

  • Tel.: +34 624 45 15 40
  • E-mail: info@blaize.tech

Menu

  • Home
  • Cases
  • Blog
  • Careers

Socials

  • Facebook
  • Twitter
  • LinkedIn
  • twitter
  • facebook
  • linkedin

Services

  • Blockchain ecosystems
  • Decentralized application
  • Smart contracts
  • Developer tools
  • Enterprise solutions
  • Blockchain integration
  • Smart contract audit
  • NFT development services
  • NFT marketplace
  • GameFi development
  • Token development
  • Blaize.Security

Solutions

  • For Startaps
  • For Enterprises

Subscribe news







    Popular Topics

    • 6 platforms for dApp development in 2023
    • How to do a smart contract audit
    • Tokenomics for crypto games
    • Smart contracts vulnerabilities
    • Launch an ICO, STO, and IEO in 2023
    • Create a stablecoin on Ethereum
    • Top 7 DeFi exploits&hacks in 2022
    top blockchain developers
    top blockchain developers
    techreviewer
    GoodFirms Badge
    defisec

    Copyright © Blaize - blockchain development company 2018-2023

    B2B inbound marketing with