bookmark_borderPublic Smart Contract Audit: Next Earth, part 1.

Overview

The Next Earth project requested a smart contract code security audit.

Start date of the audit: 2021.07.06.

Report date: 2021.07.07.

Project website: https://nextearth.io/

Platform: Solidity / Ethereum

Audited commit: 4bac0998cac7e19a3a5370c997551ba71bb82d57

Smart contracts in scope:

  • NFT.sol
  • Payment.sol
  • Presalse.sol
  • PriceFeed.sol

Imported smart contracts:

  • @chainlink/contracts/src/v0.6/interfaces/AggregatorV3Interface.sol
  • @openzeppelin/contracts/access/AccessControl.sol
  • @openzeppelin/contracts/access/Ownable.sol
  • @openzeppelin/contracts/security/Pausable.sol
  • @openzeppelin/contracts/token/ERC721/ERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Burnable.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol
  • @openzeppelin/contracts/utils/cryptography/ECDSA.sol

Overall result: pass

Auditor: six ~ PGP 450F 4AC8 0BD8

Objective and methodology

The objective of the security assessment is to gain insight into the security of the smart contracts listed in the scope.

Code review main check items:

  • Line-by-line audit
  • Business logic
  • Data consistency
  • Coding style violations
  • Gas usage
  • Reentrancy

Automated tools:

Further documents incorporated in the methodology:

Audit results

Critical severity

No cricitcal severity issue have been found during the manual code review or by using automated tools.

High severity

No high severity issue have been found during the manual code review or by using automated tools.

Medium severity

No medium severity issue have been found during the manual code review or by using automated tools.

Low severity

Presale.sol | Creation of unintended packs in setPackPrice()

Description and impact

At line61 it is specified that we have packages from 1 to 5, but in the setPackPrice function at line120, it allows to pass zero or any positive number up to 2**32-1 for _type and 2**256-1 for price.

Logic says, that would be also an integer overflow, but from Solidity compiler version 0.8.0, overflowing transactions get reverted automatically.

This vulnerability allows the creation of packages against the intentional logic of the project.

This is only a low level vulnerability as onlyOwner is used and it can’t be exploited by others.

Line 61.:

require(packType >= 1 && packType <= 5, “invalid pack type”); // we have 5 pack types from 1 to 5

Line 120.:

function setPackPrice(uint32 _type, uint256 price) external onlyOwner {

packPrices[_type] = price;

}

Proposed solution

You could use a require statement checking the type (and preferably the price too) before setting the price for a pack.

Presale.sol | Unused code, todo, typo

Description

Payment.sol, line36.

// TODO can we do this pull over push?

Presale.sol, line 88.

// uint256 contractShare = msg.value – charityShare – comissionShare; // not used, need to remove it

NFT.sol, line 42.

// happens against a signle single user…

Presale.sol, multiple lines:

comissionCode” → “commissionCode”

Proposed solution

Update the mentioned points.

NFT.sol | Minting functions can go above gas limit

Description

The issue was acknowledged by the project before the audit.

Function safeMint from line 35. and function safeMintTo() from line 49. can go above the gas limit if tokenIds.length becomes too big.

Proposed solution

Implement limits, don’t let users break themselves.

Lack of README file

Description

The project does not have a README file or documentation.

Proposed solution

Provide a clear documentation and use more comments.

Lack of comments regarding functionality

Description

The smart contracts have comments at some critical points, but not about the functions or general code logic.

It is also recommended to add NatSpec to the code.

Proposed solution

Follow the Solidity Coding style guide.

https://docs.soliditylang.org/en/latest/style-guide.html

Contact

Awalcon – six

Website: https://awalcon.org/

E-mail:six@awalcon.org

Telegram/Signal: +36 20 256 4090

Git: https://git.hsbp.org/six

PGP: B1F7 B1D6 8838 98B4 2212 1D90 CA71 D1E4 078E 99C5

bookmark_border4 Microsoft Exchange Server vulnerabilites

March is not a good month for Microsoft in 2021. At the beginning of March, Microsoft has given out warnings about critical unpatched Exchange Server vulnerabilities.

These vulnerabilities can infect tens of thousands of businesses, government entities in the U.S., in Asia, and in Europe. In addition, the number of targeted attacks have increased.

Outside of U.S, the malware also infected services in Norway, the Czech Republic, and the Netherlands. Attackers scan offensively Microsoft’s email servers, which represent high-value. This time the numbers of attacks were higher compared to last December’s SolarWinds hacking spree. The vulnerability allows breaking into Microsoft Exchange Servers and allows the installation of unauthorized web-based backdoors to facilitate long-term access.

Awalcon recommends updating or disconnecting the affected Exchange Servers immediately.

The vulnerability CVE-2021-26855 allows the bypass of authentication of an on-premises Microsoft Exchange Server that’s able to receive untrusted connections from an external source on port 443. The next vulnerabilities are CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065: these allow malicious parties to gain remote access to the vulnerable systems. It is an interesting fact that both CVE-2021-26855 and CVE-2021-27065 were reported in October 2020.

On March 12, 2021 Microsoft released an emergency patch for all the four security issues. As always, the bad news for the affected businesses: installing the patches is not enough if you have already been backdoored.

bookmark_borderGoogle Chrome zero-day vulnerability

Google has introduced an update to the Chrome browser and released a second patch within a month that fixes five vulnerabilities, including a zero-day vulnerability. One of the most important bugs can be traced as CVE-2021-21193 and affects the Windows, Linux, OS X versions of the browser.

This vulnerability was detected by an anonymous user, and through this bug an attacker can execute arbitrary code on the target system. The measuring of this error is  8.8 out of 10 on the CVSS scale. To avoid this security issue, update your Google Chrome browser at Settings -> Help -> About.

Why the browsers?
Browsers tend to evolve faster in many organizations than other applications, and browsers are a great way to reap the benefits, and attackers continue to target them because they continue to be excellent entry points for endpoint threats within the organization. In addition, the extensions are usually updated less frequently and require hardening to prevent further attacks.

What is a zero-day vulnerability?
Timing is most important here. The moment the flaw becomes known, hackers around the world can try to exploit it. Overall, programmers have zero days to find a solution to the issue, henceforth the term “zero-day vulnerability”.

This can take almost any form, such as missing data encryption, buffer overflows, missing permissions, SQL injection, broken algorithms, URL redirects, errors, or password security issues.

How protect yourself?
Here are some tips to help protect your business from these types of attacks:

Be informed: pay attention to software vendor spending, it may be time to take advantage of security measures or respond to threats before taking advantage of them

Take additional security measures: consider seeking the assistance of an experienced professional, as the safety measures mentioned above are not sufficient to fully protect you.

Keep your system up to date: make sure your software platforms are up to date. The best solution is to allow automatic updates so that the software is updated regularly without any manual intervention.