Smart Contract Security Audit For Bluelight

Securing the Multiverse: A Comprehensive Audit

Score:
9.8 /10
Type:
Bridge
Background Image

Overview

Bluelight is an economic strategy game about building your startups in a multiverse. Bluelight has a strong foundation. The product team behind Bluelight has founded the award-winning private web3 browser Aloha, with millions of users worldwide. The development partner, Dragons Lake, a development studio that worked on various AAA titles for Epic, Sony, and Nintendo. Finally, the lore comes from the Take My Muffin animation series by Toonbox, and the game will be featured in almost every episode.

Technologies: Solidity

Task

Blaize’s task was to find and describe security issues in the smart contracts of the platform.

We needed to check the Kale Bridge smart contracts with the following parameters:

  • Whether the contract is secure;
  • Whether the contract corresponds to the documentation;
  • Whether the contract meets best practices in efficient use of gas and code readability.

We have scanned this smart contract for commonly known and more specific vulnerabilities:

  • Unsafe type inference;
  • Timestamp Dependence;
  • Reentrancy;
  • Implicit visibility level;
  • Gas Limit and Loops;
  • Transaction-Ordering Dependence;
  • Unchecked external call – Unchecked math;
  • DoS with Block Gas Limit;
  • DoS with (unexpected) Throw;
  • Byte array vulnerabilities;
  • Malicious libraries;
  • Style guide violation;
  • ERC20 API violation;
  • Uninitialized state/storage/ local variables;
  • Compile version not fixed.

In addition, Kale Bridge contracts were checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

Our task was to find and describe any security issues in the smart contracts of Kale Bridge. This is the project developed by the Bluelight team. During the audit, Blaize.Security has audited the whole set of smart contracts within three folders. The protocol consists of a Kale BNB ERC20 token, a set of the Bridge smart contracts, and a set of smart contracts necessary for the user and token registry.

The goal of the audit was to analyze the security level of the smart contracts against the list of common vulnerabilities and auditors’ own checklist, ensure that Solidity best practices in terms of code quality and gas optimization are applied, verify the security of users’ funds and the security of Bridge implementation.

Smart Contract Security Audit Procedure

Blaize.Security has an established security audit procedure. It includes the following steps:

Comprehensive Security Audit

  • Manual code review;
  • Static analysis by automated tools;
  • Business logic review;
  • Unit test coverage check;
  • Extensive integration testing;
  • Fuzzy and exploratory testing;
  • Providing a detailed report of detected issues;
  • Verification of fixes;
  • Final audit report preparation & publishing.

Automated Tools Analysis

  • The auditors scanned the contract with several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec. Manual verification of all the issues detected with these tools.

Manual Code Review

  • The Blaize.Security team made a manual analysis of smart contracts for any security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.

Unit Test Coverage

  • The scope of the audit includes the unit test coverage, which is based on the smart contracts code, documentation, and requirements presented by the Bluelight team. The coverage is calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies. However, in order to ensure full security of the contract, the Blaize.Security team suggests the Bluelight team launch a bug bounty program to encourage further active analysis of the smart contracts.

Security Analysis Report

  • Finally, we have provided the Bluelight team with smart contracts security analysis report. The document contains all the detected risks and possible ways of their mitigation, as well as issues, vulnerabilities, and recommendations for fixes and improvements. Besides, the report contains the confirmation of fixes and necessary explanations from the Bluelight team.

First Audit

The Blaize.Security team detected two high, several low, and lowest issues seen during the manual part of the audit. High-severity issues were connected to the ability of the owner to withdraw tokens from the Bridge smart contract and the ability of the signer to claim tokens in any quantity and to any receiver. Both issues were successfully resolved by the Bluelight team. To solve the first issue, the team restrained the owner from withdrawing Bridge tokens, and in order to refund users, a refund system was implemented.

First Audit Image

Second Audit

For the second issue, a system of multiple signers was implemented. So that a certain number of signatures must be provided by the signers to process claiming. Though the protocol still can work with a single signer, which is why it is the Bluelight team’s responsibility to keep a sufficient number of signers in the protocol. Also, a single admin can still claim tokens to any address using the claim function.

Other issues were connected to the lack of variables’ validation, clarification of the business logic of the protocol, and other minor things. Most of them were successfully fixed by the Bluelight team as well. It should also be mentioned that the BNBKale.sol is an upgradable smart contract, which means that the owner of the protocol can update its logic at any time. All the issues can be seen in the Complete analysis section.

Second Audit Image

The overall security of the protocol is high enough. Smart contracts are well-written and contain detailed Natspec documentation. Therefore, according to the above-listed rules, the overall security of the smart-contracts system of Kale Bridge can be evaluated as Highly Secure, 9.8 out of 10.

Score:
9.8 /10
Rate Background
Audit Report

Access the complete security audit report

Detailed Report

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.