Smart Contract Security Audit For Digital Original

Score:
9.8 /10
Ecosystem:
Ethereum
Type:
NFT Platform
Background Image

Overview

Digital Original is a web3 platform that provides solutions for galleries and digital art markets. The solution provides the standard developed by the Digital Original team for private and public sales and auctions. In such a way, the platform ensures a seamless experience for collectors.

Modern NFT solution developed by the Digital Original team provides a new approach to the ownership of digital assets in the art space. Therefore, both collectors and galleries receive the speculation-proofed solution, new digitalization process, and security backed by the onchain layer. Blaize Security team is happy to support the security side of the platform via the smart contracts audit.

Services: Smart Contract Security Audit
Technologies: Ethereum

Task

During the auditing process for this project, we checked Digital Original smart contracts for various vulnerabilities. The whole procedure is divided into the following stages:

1) Standard vulnerabilities checklists, including but not limited to:

  • Storage structure and data modification flow
  • Access control structure, roles existing in the system
  • Public interface and restrictions based on the roles system
  • Order-dependency and time-dependency of operations
  • Validation of function parameters, inputs validation
  • Asset Security (backdoors connected to underlying assets)
  • Incorrect minting, initial supply or other conditions for assets issuance
  • Denial-of-Service (DoS) attacks
  • General code structure checks and correspondence to best practices
  • Upgradeability issues

and others potential Solidity vulnerabilities and attack vectors;

2) Business logic decompositions to find loopholes, deadlocks, hidden backdoors, incorrect math and calculations, malicious code injections, and other flow-related issues;

3) Review of dependencies, integrations, and 3rd parties, verified with appropriate integration tests;

4) Our internal security checklists were verified during the testing stage. The team focused on the review of the funds’ flow (both stablecoins and NFTs), on the correspondence of the auction flow and sell/purchase process, and on the validation of the solution’s parameters. The team deeply analyzed the business logic of the platform, thoroughly testing each stage of the auction.

Interaction Flow

The auction module of the Digital Original solution we audited.

Interaction Flow Image

During the audit, Blaize Security team reviewed the set of smart contracts for the Digital Original protocol. The solution included the module for auctions creation and the ArtToken - enhanced implementation of the ERC721 standard combined with sell/purchase functionality. The AuctionHouse implements the full auction flow, with several raise stages and the ability to list any digital asset (representing art and/or valuable objects). The auction supports a single chosen currency, implements a custom roles management system, supports several simultaneous auctions and is directly connected with the ArtToken. Together, the contracts complete the Digital Original solution as a standard for digital art ownership.


Our task was to find and describe any security issues in the platform's smart contracts. Thus, the security team provided the decomposition of the protocol, checked the integrity of the business logic, funds flow, access control system, and user flow, and analyzed a set of edge cases. The team also checked the system against several checklists (including all standard vulnerabilities) and conducted an intensive testing stage.

Security Audit Procedure

Blaize. Security auditors start the audit by developing an auditing strategy - an individual plan where the team plans methods, techniques, and approaches for the audited components. That includes a list of activities:

Manual Audit Stage

  • Manual line-by-line code by at least 2 security auditors with cross checks and validation from the security lead;
  • Protocol decomposition and components analysis with building an interaction scheme, depicting internal flows between the components and sequence diagrams;
  • Business logic inspection for potential loopholes, deadlocks, backdoors;
  • Math operations and calculations analysis, formula modeling;
  • Access control review, roles structure, analysis of user and admin capabilities and behavior;
  • Review of dependencies, 3rd parties, and integrations;
  • Review with automated tools and static analysis;
  • Vulnerabilities analysis against several checklists, including internal Blaze. Security checklist;
  • Storage usage review;
  • Gas (or tx weight or cross-contract calls or another analog) optimization;
  • Code quality, documentation, and consistency review.

Testing Stage

  • Development of edge cases based on manual stage results for false positives validation;
  • Integration tests for checking connections with 3rd parties;
  • Manual exploratory tests over the locally deployed protocol;
  • Checking the existing set of tests and performing additional unit testing;
  • Fuzzy and mutation tests (by request or necessity);
  • End-to-end testing of complex systems.

Upon completion of the audit, we delivered a comprehensive security audit report to the Digital Original team. This report included:

  • Identified risks
  • Potential mitigations
  • Detailed vulnerability assessments
  • Recommendations for improvements

Audit Result

The security team noted the high quality of the code, good natspec comments (though the general documentation is absent), high coverage with native unit tests, and good organization of the project and development pipeline. The protocol implements necessary security measures for the smart contracts.

During the audit, Blaize’s security team identified a total of 5 issues: 1 high-risk issue, 2 issues of low severity, and 2 issues connected to substandard or ambiguous behavior. Issues were connected to the risk of frontrun during the asset purchase, extending of the solution parameters’ validation, missed edge case and clarifications on the smart contract buyers’ support. Based on the Digital Original team’s informative feedback, most business logic-related issues were verified during the discussion and consulting. The team also provided all requested patches to close the rest of the issues. Therefore, all offered recommendations were implemented.

Audit Result Image

Audit Result

However, the security team noted several risks to which the platform is exposed: standard risks connected to smart contract’s upgradeability, risks connected to a single point of failure and admin’s private key management, and risks connected to the sanitizing actions delegated out of the contract (with partial dependency on backend services). While all these features are common for web3 solutions, they have certain level of connected risks and should be monitored by the team.

Audit Result Image

The Digital Original team is aware of the raised risks and has resolved all the issues presented by auditors. The codebase has high quality and implements necessary security measures. The security team verified that Digital Original solution has a high audit security score of 9.8 out of 10.

Score:
9.8 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.