Smart Contract Security Audit For Cryptopia

Score:
9.8 /10
Ecosystem:
Ethereum
Type:
GameFi
Background Image

Overview

At Blaize, we take the security of blockchain projects seriously, and our recent collaboration with Cryptopia stands as a testament to our commitment. In this case study, we will delve into the comprehensive security audit we conducted for the Cryptopia protocol, highlighting our rigorous process and the outcomes achieved.

Services: Smart Contracts Audit
Technologies: Ethereum Solidity

Task

At Blaize Security, we approach each audit with a well-defined strategy. Our audit procedure involves a meticulously planned series of activities:

1) Standard vulnerabilities checklists, including but not limited to:

  • Reentrancy
  • Gas limit and loops
  • Transaction-ordering dependence
  • Unchecked external calls
  • Denial-of-Service (DoS) attacks
  • Malicious libraries and injections
  • Storage issues (uninitialized, unused, etc.) and incorrect local variable usage
  • Upgradeability issues
  • Correct NFT storage for metadata

and other potential Solidity vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) Our internal security checklists with heavy accent on NFT related security were verified during the testing stage. The team had the main focus on verifying the correctness of NFTs minting, checking the foundation of future game logic which starts in ships distributions and upgrades. Additionally auditors provided a round of meta-transactions testing integrated into the protocol.

Protocol Overview

The part of the Cryptopia smart contract we audited

Protocol Overview Image

Cryptopia entrusted Blaize with the crucial task of auditing the security of their smart contracts. Our objective was clear: to identify and describe any potential security vulnerabilities within the smart contracts of the Cryptopia platform. This report serves as a detailed account of our findings during the security audit.

The scope of our audit encompassed all aspects, including tests, scripts, documentation, and requirements provided by the Cryptopia team. Our coverage extended beyond Hardhat framework tests and scripts to ensure the utmost thoroughness, incorporating manual and exploratory rounds.

Smart Contract Security Audit Procedure

At Blaize Security, we approach each audit with a well-defined strategy. Our audit procedure involves a meticulously planned series of activities:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with crosschecks and validation from the security lead;
  • Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
  • Business logic inspection for potential loopholes, deadlocks, backdoors;
  • Math operations and calculations analysis, formula modeling;
  • Access control review, roles structure, analysis of user and admin capabilities and behavior;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Vulnerabilities analysis against several checklists, including internal Blaize.Security checklist;
  • Storage usage review;
  • Gas (or tx weight or cross-contract calls or another analog) optimization;
  • Code quality, documentation, and consistency review.

Testing Stage

  • Development of edge cases based on manual stage results for false positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Fuzzy and mutation tests (by request or necessity);
  • End-to-end testing of complex systems;

Upon completing the audit, we delivered a comprehensive smart contract security analysis report to the Cryptopia team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Post-audit activities recommendation
  • Recommendations for improvements

Audit Result

Our audit of the Cryptopia protocol, led by Blaize Security, comprised an analysis of an ERC721 NFT collection, a factory for minting new tokens, and common contracts for EIP-217 signatures and meta transactions. These tokens represented ships with various characteristics and stats, enabling users to mint new ships by paying ETH, with rarity affecting the daily allocations received in an ERC-20 token.

Our rigorous testing covered all smart contract scenarios, from minting and upgrading tokens to allocation distribution and meta-transaction execution. We verified the correct flow of allocation claiming and the protocol’s compatibility with OpenSea’s authentication for gasless transactions.

Auditors discovered no critical issues. Two high-risk, three medium-risk, five low-risk, and several lowest-risk problems were detected. High-risk issues were connected to the obsolete ETH transfer method and the ability of anyone to withdraw tokens on the TokenReceiver implementation.

Audit Result Image

In conclusion, the overall security of the Cryptopia protocol, audited by both the Cryptopia and Blaize Security teams, ranks high, with well-written and thoroughly tested contracts. While the contracts’ settings appear correct, we recommend a double-check of specific functions before deployment. Our assessment rates the overall security at an impressive 9.8 out of 10. At Blaize, we take pride in providing comprehensive security audits to safeguard blockchain projects and ensure the integrity of smart contracts. The successful completion of the Cryptopia audit stands as a testament to our commitment to excellence in blockchain security.

Score:
9.8 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.