WEBTHREE

®

Scope of Work

The scope of this audit is based on the material provided by the client. The goal of this audit is to ensure the following:

  • Find potential exploits for the contract
  • Find issues in the contract that will affect the integrity of the mint
  • Ensure the contract adheres to the business logics provided by the client
The logic of the contract will be compared to the business logic provided in the materials provided below:
  • Payments are handled offchain
  • Supply is not limited
  • NFTs staked are tradeable
  • NFTs unstaked are playable
  • Unstaking requires a 4 hour delay before being unstaked
  • Mint, stake and unstake contracts can only be invoked by wallets owned by the team
  • Deployed on polygon
The contract was provided on 3rd August 2023 and audit was delivered on 9th August 2023. It was given in the following formats:

Disclaimer

This is a limited report based on our analysis of the Smart Contract audit and performed in accordance with best practices as of the date of this report, in relation to cybersecurity vulnerabilities and issues in the smart contract source code analyzed, the details of which are set out in this report, (hereinafter “Source Code”) and the Source Code compiling, deploying and performing the intended functions. In order to get a full view of our findings and the scope of our analysis, it is crucial for you to read the full report. While we have done our best in conducting our analysis and producing this report, it is important to note that you should not rely on this report and cannot claim against us on the basis of what it says or doesn’t say, or how we produced it, and it is important for you to conduct your own independent investigations before making any decisions.

By reading this report or any part of it, you agree to the terms of this disclaimer. If you do not agree to the terms, then you must immediately cease reading this report, and delete and destroy any and all copies of this report downloaded and/or printed by you. This report is provided for information purposes only and on a non-reliance basis and does not constitute investment advice. No one shall have any right to rely on the report or its contents and the individuals and/or team providing this report owe no duty of care towards you or any other person, nor does the individuals and/or team make any warranty or representation to any person on the accuracy or completeness of the report. The report is provided “as is” without any conditions, warranties, or other terms of any kind except as set out in this disclaimer and the individuals and/or team hereby exclude all representations, warranties, conditions and other terms (including without limitations, the warranties implied by law of satisfactory quality, fitness for purpose and the use of reasonable care and skill) which, but for this clause might have effect in relation to the report.

Except and only to the extend that it is prohibited by law, the individuals and/or team hereby exclude all liability and responsibility, and neither you nor any other person shall have any claim against the individuals and/or team for any amount of kind of loss or damage that may result to you or any other person including without limitation, any direct, indirect, special, punitive, consequential, or pure economic loss or damages, or any loss of income, profits, goodwill, data, contracts, use of money, or business interruption and whether in delict, tort (including without limitation negligence), contract, breach of statutory duty, misrepresentation (whether innocent or negligent) or otherwise under any claim of any nature whatsoever in any jurisdiction) in any way arising from or connected with this report and the use, inability to use or the results of use of this report and an reliance on this report.

Summary

Audited by:
ZooperDooper
As most of the logics have been delegated to an offchain backend, the contract is simple and straightforward and does not have any critical issues. The contract is well written and easy to read. Due to the nature of how the infrastructure is setup, please ensure the wallets that have the MINTER role are stored securely, as it is the most possible point of failure if it is compromised. It has been noted that the project owners wish to pay the fees for the users themselves and not have the users pay for the fees. This is a good approach as it will reduce the barrier of entry for users to use the platform. The contract is deployed on Polygon, which is a good choice as it is a low cost and fast blockchain. Good use of signatures for the staking and unstaking as it ensures if the STAKER wallet is compromised, they cannot invoke an unstake or stake without the owner / virutals owners approval. Presale and public logic are handled offchain so ensure it is thoroughly tested as if there is any bugs in the backend server it will bypass most of the contract validations for the mint.
FINDINGS
0 Critical Issues
0 Medium Issues
0 Low Issues
3 Nits
KEY
Critical Issues
Medium Issues
Low Issues
Nits / Informational

Issues

Nits
Add a totalSupply

Add a totalSupply to the contract as most blockchain explorers use the totalSupply on ERC721 contracts to display the total minted items

Issues

Nits
Support multiple ids for mint, stake, unstake and burn

Currently mint, stake, unstake and burn only take a single token id, as each transaction has a base cost; if there is a need to run an operation for multiple tokenIds for a user; the wallet would need to call it with multiple transactions each with their own gas fee. By bundling tokenIds owned by the same user, you can decrease the cost. That being said, this is more to reduce costs for the project owners as they would be running the transactions. Only way users can interact with the contract is if they want to manually stake or unstake.

Issues

Nits
Gas Optimisation

Checks for virtual owner and tokenId are redundant as the invokation of the mint function is done by a wallet owned by the team. This can be ignored however as polygon fees are so low its negligible.