Smart Contract Security Audit For Blockus

Score:
10 /10
Ecosystem:
Sui
Type:
NFT Platform
Background Image

Overview

Blockus aims to revolutionize the social gaming sector by blending social interactions and gaming into a unified, immersive platform. It aims to simplify the integration of traditional gamers into the web3 ecosystem through blockchain technology. With a vision for a community-driven gaming ecosystem, Blockus embarks on a journey towards decentralization.

The company offers a comprehensive suite of services, including a Wallet-as-a-Service for easy account management, a first-party NFT marketplace, and versatile payment options supporting fiat and crypto. These features underscore the emphasis on security, ease of use, and trust within the ecosystem.

Recognizing the exceptional importance of security in web3, Blockus collaborates with Blaize, a specialist in blockchain security audits with a notable portfolio in Sui blockchain projects, including a successful audit for Mysten Labs. This partnership highlights Blockus’s dedication to creating a secure gaming environment, leveraging Blaize’s expertise in Sui-based projects to enhance ecosystem safety.

Services: Smart Contracts Audit
Technologies: Sui Move

Task

During the auditing process for this project, we checked Blockus smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

  • Storage structure and data modification flow
  • Access control structure, roles existing in the system
  • Public interface and restrictions based on the roles system
  • Order-dependency and time-dependency of operations
  • Validation of function parameters, inputs validation
  • Asset Security (backdoors connected to underlying assets)
  • Incorrect minting, initial supply or other conditions for assets issuance
  • General code structure checks and correspondence to best practices
  • Language specific checks
  • Object generation flow

and other potential Move vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) Our own internal security checklists, additionally verified during the testing stage. The team had the main focus on verifying the correctness of implemented lock mechanics, the safety of stored assets, and created lock management.

Protocol Overview

The part of Blockus’s NFT contract we audited.

Protocol Overview Image

During the audit, we examined the security of smart contracts for the Blockus protocol. Our task was to find and describe any security issues in the smart contracts of the platform.

The protocol contains two contracts on the Sui blockchain:

- ambrus_in_game_currency (Ambrus coin)
- blockus_nfts (nft).

Ambrus coin is an implementation of the Sui token FALLEN_ARENA_ SHARD, under the ticker Ambrus with the symbol SHARD. The contract represents basic functionality for minting and burning tokens for the owner.

The second contract is a basic mint/burn contract for NFTs named BlockusNft, with additional management of the metadata fields. Privileged users appointed by the Admin perform management.

Security Audit Procedure

Blaize. Security auditors start the audit by developing an auditing strategy – an individual plan where the team plans methods, techniques, and approaches for the audited components. That includes a list of activities:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
  • Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
  • Business logic inspection for potential loopholes, deadlocks, backdoors;
  • Math operations and calculations analysis, formula modeling;
  • Access control review, roles structure, analysis of user and admin capabilities and behavior;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Vulnerabilities analysis against several checklists, including internal Blaze. Security checklist;
  • Storage usage review;
  • Gas (or tx weight or cross-contract calls or another analog) optimization;
  • Code quality, documentation, and consistency review.

Testing Stage

  • Development of edge cases based on manual stage results for false positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Fuzzy and mutation tests (by request or necessity);
  • End-to-end testing of complex systems.

Upon completion of the audit, we delivered a comprehensive security audit report to the Blockus team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Audit Result

The security team concluded that the audited components implement FT and NFT standards correctly and correspond to Sui’s best practices. Although the functionality is basic and built via the standard Move (Sui) approaches, auditors should note the absence of native tests. Nevertheless, auditors verified the functionality via their own set of Move tests prepared during the testing stage. The protocol implements the necessary security standards.

During the audit, Blaize’s security team identified a total of 5 security issues: 1 of low severity and 4 of informational nature. The low-severity issue was identified as a lack of validation for the minted amount, which posed a minor risk to the protocol’s integrity. The informational issues highlighted were the absence of versioning, lack of events to track operations transparently, and the capability for an admin to edit metadata, which, while not immediately threatening, were areas suggested for improvement to enhance the protocol’s overall security posture and transparency

Audit Result Image

Audit Result

Based on the comprehensive recommendations and detailed audit report provided by Blaize, the Blockus team promptly addressed and resolved all identified issues. This proactive response included implementing validations for minting operations, introducing versioning and events for improved tracking and transparency, and adjusting admin privileges concerning metadata editing to safeguard against unauthorized changes, thereby fortifying the security and reliability of the protocol.

Audit Result Image

Given the thoroughness of the audit, the adherence to security best practices, the quality of documentation, and the prompt resolution of identified issues, it is with great confidence that the security team granted Blockus an outstanding audit security score of 10 out of 10. This score reflects Blockus’s unwavering commitment to maintaining the highest standards of security and operational excellence within the blockchain domain.

Score:
10 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.