This is the report from a security audit performed on Wall_v3 by MrCrambo.
The audit focused primarily on the security of Wall_v3 smart contracts.
- https://github.com/isvirin/TheWall/blob/4d7b98e06def9a605aba06663d5c90d5a5e55c54/thewallusers.sol
- https://github.com/isvirin/TheWall/blob/4d7b98e06def9a605aba06663d5c90d5a5e55c54/thewallcoupons.sol
- https://github.com/isvirin/TheWall/blob/4d7b98e06def9a605aba06663d5c90d5a5e55c54/thewallbeneficiaries.sol
- https://github.com/isvirin/TheWall/blob/4d7b98e06def9a605aba06663d5c90d5a5e55c54/thewall.sol
- https://github.com/isvirin/TheWall/blob/4d7b98e06def9a605aba06663d5c90d5a5e55c54/thewallcore.sol
In total, 3 issues were reported including:
-
0 high severity issues.
-
0 medium severity issues.
-
2 owner privilegies issues.
-
1 low severity issues.
The owner can commitSecret with various frequency or don't commit at all.
The frequency at with the commitSecret and updateSecret is called is important to the users. If a user that created new area want to rent or sell it and the owner didn't call commitSecret for his hash then isPremium will return false, resulting in a loss of 30% (fee charged) even if his nonce and secret will give him a premium area. If the secret is committed later, a possible new owner will have access to the premium privilege.
- If commit secret periodically, then put the schedule on the website to inform users when they may get Premium.
- Lock the sell and rent functionalities and unlock them after the secret commit.
- Automate the process using an oracle callback such as oracalize or chainlink.
- Owner can change cost wei without restrictions.
The wall users still could burn from any account without restrictions.
Smart contracts contain only low severity issues.