Smart Contract Security Audit For Title Deeds CEX By Viewpoint Labs

Score:
9.7 /10
Ecosystem:
BNB Chain Ethereum
Type:
NFT Platform
Background Image

Overview

Viewpoint Labs specializes in consumer products with a focus on web3 and entertainment. They build applications with outstanding user experience simplifying mass adoption of new technologies to 200+ millions of users worldwide.

In this case we consider the smart contract security audit of Title Deeds CEX protocol that was powered by the Viewpoint Labs team. This is the second audit of this protocol. The first time was the audit of core contract TitleDeeds.sol.

Services: Smart Contracts Audit
Technologies: Ethereum BNB Chain Solidity

Task

We were assigned to detect and describe security issues in the smart contract set of the  Title Deeds CEX protocol.

We needed to check the smart contracts with the following parameters:

Whether the contract is secure;

Whether the contract corresponds to the documentation;

Whether the contract meets best practices in terms of the efficient use of gas and code readability.

We have scanned this smart contract for commonly known and more specific vulnerabilities:

  • Unsafe type inference;
  • Timestamp Dependence;
  • Reentrancy;
  • Implicit visibility level;
  • Gas Limit and Loops;
  • Transaction-Ordering Dependence;
  • Unchecked external call – Unchecked math;
  • DoS with Block Gas Limit;
  • DoS with (unexpected) Throw;
  • Byte array vulnerabilities;
  • Malicious libraries;
  • Style guide violation;
  • ERC20 API violation;
  • Uninitialized state/storage/ local variables;
  • Compile version not fixed.

In addition, Title Deeds CEX protocol was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

Protocol Overview

Title Deeds CEX Protocol Flow

Protocol Overview Image

Our task was to find and describe security issues in the smart contracts of the platform. Blaize Security reviewed the whole set of contracts within the scope provided by the Viewpoint Labs team. The protocol allows users to redeem their Title Deeds NFTs in the Ethereum network and receive Parcel and Blueprint NFTs in the BNB Chain network.

The protocol also contains custom ERC721 and ERC1155, which extend a basic NFT functionality with role management, minting, royalty, metadata update notifications, and batchable retrieving of info about NFTs. The Blaize Security team also reviewed all of these implementations.

Smart Contract Security Audit Procedure

Blaize.Security has an established security audit procedure. It includes the following steps:

Comprehensive Security Audit

  • Manual code review;
  • Static analysis by automated tools;
  • Business logic review;
  • Unit test coverage check;
  • Extensive integration testing;
  • Fuzzy and exploratory testing;
  • Providing a detailed report of detected issues;
  • Verification of fixes;
  • Final audit report preparation & publishing.

Automated Tools Analysis

  • The team has checked the contract with the help of several publicly available automated analysis tools, such as Mythril, Solhint, Slither, and Smartdec. Also, we have done manual verification of all the issues detected by automated tools.

Manual Code Review

  • During the manual audit, the Blaize Security team analyzed contracts against the list of common vulnerabilities and internal checklists, checked the correspondence to the Solidity best practices (including code style and gas optimization), and validated the correspondence of the business logic of the protocol to the described one.

Unit Test Coverage

  • The scope of the audit includes the unit test coverage that bases on the smart contracts code, documentation, and requirements presented by the Viewpoint Labs team. Coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. Though, in order to ensure a security of the contract Blaize.Security team recommends the Viewpoint Labs team implement a bug bounty program to encourage further and active analysis of the smart contracts.

Security Analysis Report

  • In the end, we have provided to the Viewpoint Labs team a smart contract security analysis report. The document contains all detected risks and the possible variants of its mitigations, issues, vulnerabilities details, and recommendations for their improvements.

Audit Result

The Blaize.Security team found one medium-risk, one low-risk, and a few lowest-severity issues during the audit, and the Viewpoint Labs team successfully fixed all of them.
The overall security of smart contracts is high enough. Contracts are well-written and tested: Viewpoint Labs team prepared a solid unit test coverage. Nevertheless, the Blaize Security team prepared its own tests, including additional scenarios to validate the exchange process.

Audit Result Image

Thus, according to the rules listed above, the level of overall Title Deeds CEX protocol security can be evaluated as Highly Secure, 9.7 out of 10.

Score:
9.7 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.