Smart Contract Security Audit For LiquidAccess

Score:
9.6 /10
Ecosystem:
Ethereum
Type:
NFT Platform
Background Image

Overview

We are happy to say that we’ve finished a smart contract security audit for LiquidAccess, the protocol for advanced operations with NFTs.

Services: Smart Contracts Audit
Technologies: Ethereum Solidity

Task

The main task of the Blaize.Security team was to find and describe any security issues in the smart contracts of the platform.

We needed to check the LiquidAccess smart contracts according to the following parameters:

Whether the contract is secure;

Whether the contract corresponds to the documentation;

Whether the contract meets best practices in the efficient use of gas, code readability.

Thus, the contracts were checked against the following set of commonly known and more specific vulnerabilities during the LiquidAccess code audit:

  • Unsafe type inference;
  • Timestamp Dependence;
  • Reentrancy;
  • Implicit visibility level;
  • Gas Limit and Loops;
  • Transaction-Ordering Dependence;
  • Unchecked external call;
  • Unchecked math;
  • DoS with Block Gas Limit;
  • DoS with (unexpected) Throw;
  • Byte array vulnerabilities;
  • Malicious libraries;
  • Style guide violation;
  • ERC20 API violation;
  • Uninitialized state/storage/
 local variables;
  • Compile version not fixed.

Also, the LiquidAccess NFT set of contracts was checked against the less common vulnerabilities from the internal Blaize.Security knowledge base.

During the audit, we examined the security of smart contracts for the LiquidAccess protocol. Our task was to find and describe any security issues in the smart contracts of the platform. The scope of the project included LiquidAccess set of contracts – LiquidAccess.sol.

LiquidAccess.sol is an NFT contract that implements ERC721 NFT standard, ERC2981 royalty standard, and ERC4906 Metadata Update Extension. During the deployment of the contract, the token’s name, symbol, merchant, and merchant ID are set in the storage.

The minting flow of the contract contains the safeMint() function, which can be executed only by the owner of the contract. During the minting, the owner can specify the receiver, a subscription type, and the expiration of the token.

There are also some setters that allow the owner to change the subscription type and the expiration of the existing tokens. Also, the contract contains additional setters, which allows the owner to set the following information about the contract: royalty, lockup period, users and NFTs blacklist, NFT and contract’s name, description, image.

Smart Contract Security Audit Procedure

Blaize.Security has an established security audit procedure. It includes the following steps:

Comprehensive Security Audit

  • Manual code review;
  • Static analysis by automated tools;
  • Business logic review;
  • Unit test coverage check;
  • Extensive integration testing;
  • Fuzzy and exploratory testing;
  • Providing detailed report of detected issues;
  • Verification of fixes;
  • Final audit report preparation & publishing.

Automated Tools Analysis

  • The automated part of the analysis was performed with several publicly available tools such as Mythril, Solhint, Slither, and Smartdec. Besides, the team conducted manual verification of all the issues found with these tools.

Manual Code Review

  • The auditors used manual analysis to search for security vulnerabilities. We checked smart contract logic and compared it with the one described in the documentation.

Unit Test Coverage

  • The scope of the audit included the unit test coverage that was based on the smart contracts code, documentation, and requirements presented by the LiquidAccess team. The coverage was calculated based on the set of the Hardhat framework tests and scripts from additional testing strategies.

Security Analysis Report

  • In the end, we have provided LiquidAccess with a full smart contract security analysis report. The document contains all the detected risks, issues, and vulnerabilities, and the possible ways of their mitigation and security improvements.

Audit Result

According to the assessment, the LiquidAccess smart contracts have no critical security problems, the overall quality of the code is high, and the functionality is well-documented and optimized. Most of the issues were fixed by the LiquidAccess team.

However, in order to ensure high security of the contract, the Blaize.Security team suggests the LiquidAccess team launch a bug bounty program to encourage further active analysis of the smart contracts.

Audit Result Image

According to the rules listed above, the overall security of the LiquidAccess smart contracts can be evaluated as Highly Secure, 9.6 out of 10.

Score:
9.6 /10
Rate Background

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.