QuillAudits conducts a rigorous audit of NFTs2Me, identifying and rectifying 10 critical vulnerabilities to enhance the platform's security and efficiency.
NFTs2Me is an intuitive platform that simplifies creating, deploying,& managing NFT collections without coding skills. It offers a comprehensive toolkit to launch & grow NFT projects from minting to administration.
NFTs2Me offers an easy interface for creating NFT artwork, defining metadata, & uploading to IPFS. Users can deploy NFT contracts with low fees, multiple minting options, & upgradeable features. It also provides tools for managing collections, custom subdomains, & controlling access with allowlists, whitelists, airdrops, & token-gated content, making NFT project launch & growth effortless.
NFTs2Me is a user-friendly platform that empowers creators to effortlessly create, deploy, and manage NFT collections without needing programming skills. It provides a robust toolkit for every stage of the NFT lifecycle, from artwork creation with built-in generative art tools to uploading digital assets with metadata and rarity definitions. Users can deploy NFT contracts on the blockchain with minimal fees, utilizing various minting options such as ERC-20 tokens and native coins. The platform supports flexible administration of collections, including custom subdomains, community management, and granular control over access through allow lists and token-gated content. NFTs2Me aims to democratize NFT creation and management, offering a seamless experience for both novice and experienced creators alike.
QuillAudits conducted a comprehensive audit of NFTs2Me, uncovering a total of 10 issues that highlighted the complexity of the platform's smart contracts. The primary focus was on the factory and collection contracts, specifically N2MFactory and N2MERC721A. The audit aimed to evaluate the quality, security, and correctness of the NFTs2Me codebase. Key concerns addressed included potential denial-of-service vulnerabilities, insecure token transfers, and issues in the signature verification process. Through detailed analysis and recommendations, QuillAudits helped enhance the security and robustness of the NFTs2Me platform.
1.Information Gathering
2. Manual Code Review
Conducted a line-by-line review of the smart contract code, focusing on:
3. Functional Testing
4. Automated Testing
5. Reporting & Remediation
Our methodology for NFTs2Me Smart Contracts combines threat modeling, a security-first mindset, and comprehensive testing, including both white-box and black-box methods. We emphasize transparency and clear communication with the NFTs2Me team, providing actionable insights and detailed recommendations for swift vulnerability resolution, and ensuring a robust security posture.
Our thorough and extensive audit uncovered 2 Medium Severity vulnerability, 4 Low-severity issues, and 4 informational findings.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
Discovery: The contract iterates over an array containing revenue addresses during withdrawals. This array lacks a defined upper limit on its size. If the array grows excessively large, iterating through it could exceed the gas limit, leading to a DoS attack.
Impact: An attacker could potentially exploit this vulnerability to prevent legitimate users from executing withdrawal functions by manipulating the revenue address array size.
Discovery: The contract utilizes the transfer function for token withdrawals instead of the recommended safeTransfer
function.
Impact: Tokens that are non-compliant with the ERC20 standard could return false on failed transfers using the transfer function. This failure would go unnoticed by the contract, potentially leading to unintended token behavior.
Discovery: The signature verification process for delegated creation transactions lacks an expiry timestamp. This allows attackers to potentially reuse expired signatures for unauthorized actions.
Impact: An attacker could potentially obtain a valid signature and use it beyond its intended timeframe to execute unauthorized transactions on behalf of the signer.
Discovery: The signature verification process in the delegatedCreation function
has two vulnerabilities:
Missing Nonce Check: The function does not verify that a unique nonce value is used for each signature. This allows attackers to potentially replay a signature for the same owner address on the same factory contract.
Action:
Imposed a defined upper limit on the size of the revenue address array in the N2MFactory
contract.
Outcome:
Limiting the array size prevents excessive gas consumption during iteration, mitigating the risk of DoS attacks and ensuring smooth execution of withdrawal functions.
Action:
Implemented the safeTransfer
function for token withdrawals in the N2MERC721A
contract instead of the transfer
function.
Outcome:
Using safeTransfer
ensures compliance with the ERC20 standard, providing a more secure method for token transfers and preventing unnoticed transfer failures.
Action:
Add an expiry timestamp to the signature verification process in the delegatedCreation
function of the N2MFactory
contract.
Outcome:
Incorporating an expiry timestamp prevents the reuse of signatures beyond their intended timeframe, ensuring that signatures are only valid for a limited period and reducing the risk of unauthorized transactions.
Action:
delegatedCreation
function of the N2MFactory
contract.delegatedCreation
function.Outcome:
Adding the contract address to the verification hash ensures that signatures are specific to a particular contract version. Implementing nonce checks prevents replay attacks, ensuring each signature is used only once per owner address on the factory contract.
During the audit, several functional tests were conducted to ensure the robustness and correctness of the NFTs2ME Platform smart contracts.
Let’s delve into some of the critical tests performed:
Impressed by our findings and recommendations, the NFTs2Me developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the NFTs2Me project is now significantly more secure, ensuring the protection of user funds.
The NFTs2Me’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the NFTs2Me Team has taken a significant step towards securing its platform and safeguarding user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!