OpenBiSea smart contract security audit, conducted by the Callisto Network Security Department during June 2022.

 

 

OpenBiSea v3 Security Audit Report

Are Your Funds Safe?

Summary

OpensBiSea smart contract security audit report performed by Callisto Security Audit Department

1. In scope

Commit 4c1b355a32618c0ddbac83e66b353bb1803454bc

  • AbsNFT.sol
  • AbsNFT1155.sol
  • IOpenBiSea.sol
  • IOpenBiSeaAuction.sol
  • IOracle.sol
  • OBS.sol
  • OpenBiSea.sol
  • OpenBiSeaAuction.sol
  • Oracle.sol
  • StakingOBS.sol

1.1 Excluded

Standard OpenZeppelin contracts were excluded from audit:

  • @openzeppelin/contracts/access/Ownable.sol
  • @openzeppelin/contracts/utils/Counters.sol
  • @openzeppelin/contracts/token/ERC1155/ERC1155.sol
  • @openzeppelin/contracts/token/ERC721/ERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol
  • @openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol
  • @openzeppelin/contracts/token/ERC721/IERC721Receiver.sol
  • @openzeppelin/contracts/token/ERC721/IERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/IERC721Metadata.sol
  • @openzeppelin/contracts/token/ERC1155/extensions/IERC1155MetadataURI.sol
  • @openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol
  • @openzeppelin/contracts/token/ERC1155/IERC1155.sol
  • @openzeppelin/contracts/token/ERC20/ERC20.sol
  • @openzeppelin/contracts/token/ERC20/IERC20.sol
  • @openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol
  • @openzeppelin/contracts/utils/math/SafeMath.sol
  • @openzeppelin/contracts/utils/Address.sol
  • @openzeppelin/contracts/utils/structs/EnumerableSet.sol

2. Findings

In total, 3 issues were reported including:

      • 0 high severity issues.
      • 0 medium severity issue.
      • 3 low severity issues.

In total, 5 notes were reported, including:

      • 0 notes.
      • 0 owner privileges.

No critical security issues were found.

2.1 Known vulnerabilities of ERC-20 token

Severity: low.

Description:

OpenBiSea Token (OBS) has known vulnerabilities of ERC-20 token:

It is possible to double withdrawal attack. More details here.

2.2 Anybody can mint AbsNFT tokens

Severity: note.

Description:

The function mint() has no restriction and alow anybody to mint AbsNFT tokens.

This ability may be used by scammers to create new token with tokenUri of another token on this contract. However tokenId of both tokens will be different.

2.3 Owner privileges

Severity: owner privileges.

Description:

    1. The owner of AbsNFT1155 contract can:
      1. Set and change URI.
      2. mint tokens.
    1. The owner of OBS contract can:
      1. mint
      2. burn OpenBiSea Token to/from any account.
    1. The owner of StakingOBS sale contract has right to withdraw any amount of tokens from contract included users’ staked tokens.

2.4 High gas consumption when use contractsWhitelisted

Severity: low.

Description:

Functions that work with contractsWhitelisted use loop for to go throw entire list of contracts to check if contract is whitelisted. This operation required the more gas the bigger list is.

Recommendation

Create mapping(address => uint256) public indexOfContractsWhitelisted; and use it get index of whitelisted contract instead of for loop. Start index from 1.

2.5 High gas consumption of function contractsTokenIdsListUpdated

Severity: low

Description

Functions that work with contractsTokenIdsListUpdated use loop for to go throw contractsTokenIdList. This operation required the more gas the bigger list is.

Try to avoid loops when work with array without limits of length.

3. Security practices

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

It is recommended to adhere to the security practices described in pt. 4 of this report to ensure the contract’s operability and prevent any issues that are not directly related to the code of this smart contract.

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.

 


Trust the Blockchain, Audit the Smart Contracts.


Follow Callisto’s Security Department on Twitter to get our latest news and updates!