NFTLootBox.com smart contract security audit report performed by Callisto Security Audit Department
Logic description by developer:
Users purchase lootboxes using their client seed. the contract doesn't use this seed, but the server (which reads the event emitted) does. Since generating random numbers is very difficult on-chain we calculate winnings server-side. once we've determined the user's winnings, they can redeem those winnings through the redeemBulk function.
Commit hash 56ad73a604226e481e78b2dc634001721203ad66
NFTLootbox.sol lib/Context.sol lib/SafeMath.sol lib/Ownable.sol lib/IERC20.sol lib/IERC1155.sol lib/ReentrancyGuard.sol lib/Address.sol
In total, 3 issues were reported including:
-
1 low severity issues.
-
2 notes.
No critical security issues were found.
The imported files located in the /lib/ folder, but in the code /lib/ is missing that cause compiler error.
Use import like following:
import "./lib/Context.sol";
import "./lib/SafeMath.sol";
import "./lib/Ownable.sol";
import "./lib/IERC20.sol";
import "./lib/IERC1155.sol";
import "./lib/ReentrancyGuard.sol";There is no zero address checking in functions: setTransferAddress, setAuthAddress, updateLootbox
Add zero address checking:
require( _address != address(0) );
The modifier nonReentrant is overused that will cause unnecessary gas usage.
The modifier nonReentrant may be removed from functions setTransferAddress, setAuthAddress, updateLootbox where no risk of re-entrance.
The audited smart contract can be deployed. Only low severity issues were found during the audit.
https://gist.github.com/MrCrambo/f11c21632ca2b02d92d2e8ede91b6d19