QuillAudits conducts a rigorous audit of Buk Protocol, identifying and rectifying 8 critical vulnerabilities to enhance the platform's security and efficiency.
Buk Protocol, a modular infra tokenizing dynamic RWAs using $BUK token for transactions and governance on Polygon, with a focus on travel and hospitality.
Buk Protocol offers a modular infrastructure for dApps and marketplaces, enabling the tokenization and on-chain trading of dynamic assets. This omni-chain system includes an inventory aggregation layer and provides APIs, SDKs, widgets, and open-source libraries for creating secondary markets.
Buk Protocol is a multichain blockchain platform (currently deployed on Polygon) designed to create secondary markets for all assets that expire such as limited-time gaming collectibles, hotel and airline reservations, events & concert passes, and much more. These assets typically lose value after use or expiration, but Buk Protocol transforms them into tradable assets on the blockchain. It provides a modular infrastructure for dApps and marketplaces, featuring an omni-chain inventory aggregation layer. Powered by the $BUK token, it supports fee payments, governance, and incentivization, and also offers tools like APIs, SDKs, widgets, and open-source code libraries for builders and existing web3 marketplaces to create secondary markets of dynamic assets.
The Buk Protocol faces critical challenges, notably the risk of re-entrancy attacks that exploit vulnerabilities in their smart contracts, potentially compromising transaction integrity and fund security. Additionally, they showed concerns regarding business logic vulnerabilities across core contracts like Bukprotocol, Treasury, Buk NFT, and Marketplace. These vulnerabilities could lead to issues such as improper asset ownership handling or inconsistent transaction logic. Addressing these concerns requires thorough auditing and proactive measures to strengthen contract security and ensure reliable platform functionality, thereby safeguarding user assets and maintaining operational trust.
Our methodology for Buk Protocol Smart Contracts combines threat modeling, a security-first mindset, and comprehensive testing, including both white-box and black-box methods. We emphasize transparency and clear communication with the Buk Protocol team, providing actionable insights and detailed recommendations for swift vulnerability resolution, and ensuring a robust security posture.
Our thorough and extensive audit uncovered 2 critical vulnerabilities, 2 Medium-severity issues, and 1 Low and 3 informational findings.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
bookRooms()
function of BukProtocol.sol, where bookings could be made with a price of zero. This oversight allowed attackers to exploit the system by booking rooms without paying the intended price and later listing it to some other marketplace for a much higher price.checkout()
function of BukProtocol.sol regarding the handling of NFT ownership. The function attempted to burn bukNFTs and mint new bukPOSNFTs without verifying if the function caller was the current owner of the bukNFT.emergencyCancellation()
function in BukProtocol.sol. The function routed cancellation charges to _bukTreasury instead of _bukWallet, contrary to the intended behavior specified in the cancelRooms()
function.emergencyCancellation()
and cancelRooms()
could create confusion within the platform's internal operations.1. Unrestricted Booking and Potential NFT Misuse:
2. Inconsistent NFT Ownership Handling:
3. Inconsistent Transaction Logic:
Impressed by our findings and recommendations, the Buk Protocol developers **promptly addressed all identified vulnerabilities**. Through our collaborative efforts, the Buk Protocol project is now **significantly more secure**, ensuring the protection of user funds.
The Buk Protocol's smart contract security audit identified and resolved critical vulnerabilities, safeguarding user funds and ensuring platform stability. This case study highlights the importance of proactive security measures for blockchain projects, particularly those involving financial assets. By conducting thorough audits and addressing the issues found, the Buk Protocol team has taken a significant step towards securing its platform and safeguarding user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!