Smart Contract Security Audit For Nemus

Score:

9.75 /10

Ecosystem:

Ethereum

Type:

NFT Collection

Overview

Nemus acquires at-risk land in the rainforest of the Amazon and creates a series of collectible NFTs on the Ethereum network, each tied to unique geolocation within the land. A portion of sales from NFTs pays for operations and the purchase of the land, while the remaining proceeds are stored in the Nemus Treasury. With the help of the Nemus DAO, the Treasury then funds economic and social activity on the land.

Services: Smart Contracts Audit

Technologies: Ethereum Solidity

Task

The Blaize team’s task was to check the contracts for these main requirements:

Whether the contract is secure;
Whether the contract corresponds to the documentation;
Whether the contract meets best practices in efficient use of gas, code readability.

That’s why we have scanned the Nemus smart contracts for commonly known and more specific vulnerabilities:

Unsafe type inference;
Timestamp Dependance;
Reentrancy;
Implicit visibility level;
Gas Limit and Loops;
Transaction-Ordering Dependance;
Unchecked external call;
Unchecked math;
DoS with Block Gas Limit;
DoS with (unexpected) Throw;
Byte array vulnerabilities;
Malicious libraries;
Style guide violation;
ERC-20 API violation;
Uninitialized state/storage/
local variables;
Compile version not fixed.

In this project, we consider the security of the contracts for the Nemus protocol. Our task was to find and describe security issues in the Nemus set of contracts: AbstractMintVoucherFactory and NeaMintTicketFactory. The scope of the audit included the unit test coverage that is based on the smart contracts code, documentation, and requirements presented by the Nemus team.

Smart Contract Security Audit Procedure

Blaize.Security has a prescribed security audit procedure. It consists of the following steps:

Comprehensive Security Audit

Check for code consistency whether the contract corresponds to the documentation;
Checks against the standard list of vulnerabilities we have mentioned above;
Static analysis by automated tools;
Manual code analysis and code quality review;
Gas usage analysis;
Unit tests coverage check;
Creation of a custom set of unit-tests for the full coverage;
Security analysis report delivery;
Post-audit fixes review.

Automated Tools Analysis

Nemus smart contracts automated analysis was provided with a scanning contract by several publicly available automated analysis tools such as Mythril, Solhint, Slither, and Smartdec.

Manual Code Review

For the Nemus audit, the Blaize team performed the manual analysis of smart contracts for security vulnerabilities. We also checked smart contract logic and compared it with the one described in the documentation.

Security Analysis Report

At the end of every audit, the Blaize team provides a detailed smart contracts security analysis report. For Nemus, we also prepared the document with all detected risks and the possible variants of their mitigation, issues, vulnerabilities details, and recommendations for their improvements.

Audit Result

After the security audit of the Nemus smart contracts, the Blaize team found several issues which did not allow correct NFT minting for most user’s scenarios. Also, several issues from the standard auditors list were found. For now, the team has fixed all these issues.

All other issues were connected to missed checks, which may block the contract, and code quality. Nevertheless, all security risk issues were fixed by the team.

The overall security of Nemus smart contracts can be evaluated as secure, it performs all desired actions and has solid functionality. Regarding the audit, the security of Nemus set of contracts can be evaluated as Highly Secure, 9.75 out of 10.

Score:

9.75 /10

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals. Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.

[email protected]