QuillAudits conducted a comprehensive audit of WeeWeePad, uncovering and addressing critical vulnerabilities that significantly enhance the platform’s security and reliability
WeeWeePad is a launchpad designed specifically for meme tokens and NFT projects. It caters to the growing demand for decentralized fundraising, supporting projects across Ethereum and Base, and expanding to Layer 1 chains like Solana, Avalanche, and Sei.
WeeWeePad provides a user-friendly platform for acquiring and staking $WEE tokens, participating in IDOs, and engaging in NFT offerings. The platform ensures fair and secure participation by implementing rigorous KYC and whitelisting procedures.
WeeWeePad offers a streamlined platform tailored for meme token and NFT projects, emphasizing decentralized fundraising and robust community engagement. With advanced tools and comprehensive support, WeeWeePad enables successful project launches across multiple blockchain networks like Ethereum & Base. The platform empowers creators to connect with their communities, drive their own meme token growth, and navigate the complexities of the crypto space with ease.
QuillAudits identified and addressed 16 critical vulnerabilities in WeeWeePad's smart contracts, enhancing the platform’s security. Key concerns included fund loss, signature replay attacks, and improper whitelist management. By resolving these issues, QuillAudits has fortified WeeWeePad’s platform, ensuring a secure environment for its users.
Our audit methodology combined threat modeling, a security-first approach, and thorough testing, including both manual and automated methods. We emphasized transparency and clear communication with the WeeWeePad team to ensure effective resolution of identified issues.
Our audit revealed 6 Critical Severity vulnerabilities, 3 Medium Severity issues, 3 Low Severity issues, and 3 Informational findings.
Here’s a breakdown of the critical vulnerabilities and remediation strategies:
GamepadNFT
ContractDiscovery: In the GamepadNFT
contract, the issue was due to the company address being uninitialized in the constructor due to a coding error, causing all funds to be lost or burnt (sent to address(0)) when NFTs are purchased.
Discovery: The buy
function in the GamepadNFT
contract requires a signature operation signed by the signing key in the backend. However, it permits signature replay attacks as users can use the same signature multiple times.
Discovery: In RoyaReserve.sol
, the stake function design permits the possibility of malicious users passing staker's address with 1 wei, which can be repeatedly called to extend the redeem period of these stakers.
Discovery: If an address is removed from the whitelisted addresses, mapping the whitelist to false will alter the element in the whitelistItems[index[i]]
leading to unexpected behavior unless the whitelistIndex mapping is updated before deleting it.
Discovery: In RoyaleToken.sol
, the custom token contract which lacked integration with the standard ERC20 contract such as the Openzeppelin library, has an approve function that always increases the amount of tokens a spender can spend, making it impossible to reduce the amount of a spender unless the spender has exhausted their approved amount.
Action: WeeWeePad fixed the initialization issue by properly setting up the company addresses during contract deployment and added additional checks to ensure that these addresses cannot be left uninitialized. This change ensures that all funds are correctly routed and managed, preventing any accidental loss or burning of assets.
Outcome: The contract now handles funds securely, eliminating the risk of funds being lost or burned due to uninitialized addresses.
Action: To prevent signature replay attacks, WeeWeePad implemented a nonce-based validation system for each transaction. Each signature now includes a unique nonce that is tracked and invalidated after use, ensuring it cannot be reused.
Outcome: The buy
function is now secure against replay attacks, with each transaction validated for uniqueness, preventing any malicious reuse of signatures.
Action: WeeWeePad introduced permission checks to the function responsible for modifying the redeem period. Now, only authorized addresses can extend the redeem period, ensuring that malicious users cannot exploit this functionality.
Outcome: The redeem period for stakers is now secure, with no risk of unauthorized extensions by malicious users.
Action: The whitelist management logic was overhauled by WeeWeePad to ensure proper index handling when removing addresses. This change prevents any disruption or unexpected behavior when addresses are modified within the whitelist.
Outcome: Whitelist operations are now stable, ensuring that the removal of addresses does not cause any unexpected issues.
Action: WeeWeePad modified the approval mechanism in the RoyaToken contract to allow for decrementing approval amounts. This update gives token holders more control over the amount approved for spenders, ensuring they can reduce it as needed.
Outcome: RoyaToken holders now have full control over spender approvals, including the ability to reduce previously set limits.
Impressed by our findings and recommendations, the WeeWeePad developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the WeeWeePad project is now significantly more secure, ensuring the protection of user funds.
The WeeWeePad smart contracts security audit identified and addressed critical vulnerabilities, enhancing platform stability and security. This audit underscores the importance of proactive security measures for blockchain projects, especially those handling financial transactions. By addressing identified issues, the WeeWeePad Team has strengthened its platform and safeguarded user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!