Skip to content

Instantly share code, notes, and snippets.

@MrCrambo

MrCrambo/NFTLootBox_audit_report.md Secret

Last active February 16, 2021 20:10
Show Gist options
  • Save MrCrambo/f11c21632ca2b02d92d2e8ede91b6d19 to your computer and use it in GitHub Desktop.
Save MrCrambo/f11c21632ca2b02d92d2e8ede91b6d19 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
NFTLootBox_audit_report.md

Summary

This is the report from a security audit performed on NFTLootBox by MrCrambo.

The audit focused primarily on the security of NFTLootBox smart contracts.

In scope

  1. https://github.com/NFTLootBox/contracts/blob/master/contracts/NFTLootbox.sol
  2. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/Context.sol
  3. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/SafeMath.sol
  4. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/Ownable.sol
  5. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/IERC20.sol
  6. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/IERC1155.sol
  7. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/ReentrancyGuard.sol

Findings

In total, 1 issue were reported including:

  • 0 high severity issues.

  • 0 medium severity issues.

  • 2 low severity issues.

  • 0 owner privilegies issues.

Security issues

1. Zero address checking

Severity: low severity

Description

There is no zero address checking in functions: redeemBulk, setTransferAddress, setAuthAddress, updateLootbox

Recommendation

Add zero address cehcking:

require( _to != address(0) );

2. ERC20 interface extra methods

Severity: low severity

Description

ERC20 standard does not have mint and burn function in standard description. In IERC20 interface there exist these methods. And should have name(), decimals() and symbol() methods.

Conclusion

Smart contract contains only low severity issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment