OpenBiSea smart contract security audit, conducted by the Callisto Network Security Department during June 2022.
OpenBiSea v3 Security Audit Report
Are Your Funds Safe?
Summary
OpensBiSea smart contract security audit report performed by Callisto Security Audit Department
- Website: https://openbisea.io/
- Telegram: https://t.me/openbisea_en
1. In scope
Commit 4c1b355a32618c0ddbac83e66b353bb1803454bc
- AbsNFT.sol
- AbsNFT1155.sol
- IOpenBiSea.sol
- IOpenBiSeaAuction.sol
- IOracle.sol
- OBS.sol
- OpenBiSea.sol
- OpenBiSeaAuction.sol
- Oracle.sol
- StakingOBS.sol
1.1 Excluded
Standard OpenZeppelin contracts were excluded from audit:
- @openzeppelin/contracts/access/Ownable.sol
- @openzeppelin/contracts/utils/Counters.sol
- @openzeppelin/contracts/token/ERC1155/ERC1155.sol
- @openzeppelin/contracts/token/ERC721/ERC721.sol
- @openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol
- @openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol
- @openzeppelin/contracts/token/ERC721/IERC721Receiver.sol
- @openzeppelin/contracts/token/ERC721/IERC721.sol
- @openzeppelin/contracts/token/ERC721/extensions/IERC721Metadata.sol
- @openzeppelin/contracts/token/ERC1155/extensions/IERC1155MetadataURI.sol
- @openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol
- @openzeppelin/contracts/token/ERC1155/IERC1155.sol
- @openzeppelin/contracts/token/ERC20/ERC20.sol
- @openzeppelin/contracts/token/ERC20/IERC20.sol
- @openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol
- @openzeppelin/contracts/utils/math/SafeMath.sol
- @openzeppelin/contracts/utils/Address.sol
- @openzeppelin/contracts/utils/structs/EnumerableSet.sol
2. Findings
In total, 3 issues were reported including:
-
-
- 0 high severity issues.
- 0 medium severity issue.
- 3 low severity issues.
-
In total, 5 notes were reported, including:
-
-
- 0 notes.
- 0 owner privileges.
-
No critical security issues were found.
2.1 Known vulnerabilities of ERC-20 token
Severity: low.
Description:
OpenBiSea Token (OBS) has known vulnerabilities of ERC-20 token:
It is possible to double withdrawal attack. More details here.
2.2 Anybody can mint AbsNFT tokens
Severity: note.
Description:
The function mint() has no restriction and alow anybody to mint AbsNFT
tokens.
This ability may be used by scammers to create new token with tokenUri
of another token on this contract. However tokenId
of both tokens will be different.
2.3 Owner privileges
Severity: owner privileges.
Description:
-
- The owner of
StakingOBS
sale contract has right to withdraw any amount of tokens from contract included users’ staked tokens.
- The owner of
2.4 High gas consumption when use contractsWhitelisted
Severity: low.
Description:
Functions that work with contractsWhitelisted use loop for
to go throw entire list of contracts to check if contract is whitelisted. This operation required the more gas the bigger list is.
Recommendation
Create mapping(address => uint256) public indexOfContractsWhitelisted;
and use it get index of whitelisted contract instead of for
loop. Start index from 1.
2.5 High gas consumption of function contractsTokenIdsListUpdated
Severity: low
Description
Functions that work with contractsTokenIdsListUpdated use loop for
to go throw contractsTokenIdList
. This operation required the more gas the bigger list is.
Try to avoid loops when work with array without limits of length.
3. Security practices
4. Conclusion
The audited smart contract can be deployed. Only low severity issues were found during the audit.
It is recommended to adhere to the security practices described in pt. 4 of this report to ensure the contract’s operability and prevent any issues that are not directly related to the code of this smart contract.
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!