Public Smart Contract Audit: Next Earth, part 1.

Overview

The Next Earth project requested a smart contract code security audit.

Start date of the audit: 2021.07.06.

Report date: 2021.07.07.

Project website: https://nextearth.io/

Platform: Solidity / Ethereum

Audited commit: 4bac0998cac7e19a3a5370c997551ba71bb82d57

Smart contracts in scope:

  • NFT.sol
  • Payment.sol
  • Presalse.sol
  • PriceFeed.sol

Imported smart contracts:

  • @chainlink/contracts/src/v0.6/interfaces/AggregatorV3Interface.sol
  • @openzeppelin/contracts/access/AccessControl.sol
  • @openzeppelin/contracts/access/Ownable.sol
  • @openzeppelin/contracts/security/Pausable.sol
  • @openzeppelin/contracts/token/ERC721/ERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Burnable.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol
  • @openzeppelin/contracts/utils/cryptography/ECDSA.sol

Overall result: pass

Auditor: six ~ PGP 450F 4AC8 0BD8

Objective and methodology

The objective of the security assessment is to gain insight into the security of the smart contracts listed in the scope.

Code review main check items:

  • Line-by-line audit
  • Business logic
  • Data consistency
  • Coding style violations
  • Gas usage
  • Reentrancy

Automated tools:

Further documents incorporated in the methodology:

Audit results

Critical severity

No cricitcal severity issue have been found during the manual code review or by using automated tools.

High severity

No high severity issue have been found during the manual code review or by using automated tools.

Medium severity

No medium severity issue have been found during the manual code review or by using automated tools.

Low severity

Presale.sol | Creation of unintended packs in setPackPrice()

Description and impact

At line61 it is specified that we have packages from 1 to 5, but in the setPackPrice function at line120, it allows to pass zero or any positive number up to 2**32-1 for _type and 2**256-1 for price.

Logic says, that would be also an integer overflow, but from Solidity compiler version 0.8.0, overflowing transactions get reverted automatically.

This vulnerability allows the creation of packages against the intentional logic of the project.

This is only a low level vulnerability as onlyOwner is used and it can’t be exploited by others.

Line 61.:

require(packType >= 1 && packType <= 5, “invalid pack type”); // we have 5 pack types from 1 to 5

Line 120.:

function setPackPrice(uint32 _type, uint256 price) external onlyOwner {

packPrices[_type] = price;

}

Proposed solution

You could use a require statement checking the type (and preferably the price too) before setting the price for a pack.

Presale.sol | Unused code, todo, typo

Description

Payment.sol, line36.

// TODO can we do this pull over push?

Presale.sol, line 88.

// uint256 contractShare = msg.value – charityShare – comissionShare; // not used, need to remove it

NFT.sol, line 42.

// happens against a signle single user…

Presale.sol, multiple lines:

comissionCode” → “commissionCode”

Proposed solution

Update the mentioned points.

NFT.sol | Minting functions can go above gas limit

Description

The issue was acknowledged by the project before the audit.

Function safeMint from line 35. and function safeMintTo() from line 49. can go above the gas limit if tokenIds.length becomes too big.

Proposed solution

Implement limits, don’t let users break themselves.

Lack of README file

Description

The project does not have a README file or documentation.

Proposed solution

Provide a clear documentation and use more comments.

Lack of comments regarding functionality

Description

The smart contracts have comments at some critical points, but not about the functions or general code logic.

It is also recommended to add NatSpec to the code.

Proposed solution

Follow the Solidity Coding style guide.

https://docs.soliditylang.org/en/latest/style-guide.html

Contact

Awalcon – six

Website: https://awalcon.org/

E-mail:six@awalcon.org

Telegram/Signal: +36 20 256 4090

Git: https://git.hsbp.org/six

PGP: B1F7 B1D6 8838 98B4 2212 1D90 CA71 D1E4 078E 99C5

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + twenty =