search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Taverns #284

Closed MillianoConti closed 5 years ago

MillianoConti commented 5 years ago

Audit request

Tavern is a rare and specific digital asset in LORDLESS and it is an ERC-721 token. Most of the interactions in the virtual world are dependent on Tavern. https://game.lordless.io/taverns

Source code

https://github.com/lordlessio/game-contracts/tree/master/contracts/tavern

Disclosure policy

eury@lordless.io

Platform

Eth

Number of lines:

254

MrCrambo commented 5 years ago

Auditing time 1 day

yuriy77k commented 5 years ago

@MrCrambo assigned

MrCrambo commented 5 years ago

My report is finished

danbogd commented 5 years ago

Auditing time: 1 day.

yuriy77k commented 5 years ago

@danbogd assigned

danbogd commented 5 years ago

My report is finished.

gorbunovperm commented 5 years ago

Estimated auditing time is 2 days.

yuriy77k commented 5 years ago

@gorbunovperm assigned

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

Taverns Security Audit Report

1. Summary

Taverns smart contract security audit report performed by Callisto Security Audit Department

Tavern is a rare and specific digital asset in LORDLESS and it is an ERC-721 token. Most of the interactions in the virtual world are dependent on Tavern.

2. In scope

Commit hash 69a820341099f88d1937222775bcac9d8499973c.

3. Findings

In total, 3 issues were reported including:

No critical security issues were found.

3.1. The length of the input arrays should be compared

Severity: low

Description

Input arrays of functions may have different length by accidentally. This can lead to incorrect sending of funds to many recipients.

Code snippet

Recommendation

Use something like require(_tokenIds.length == _popularitys.length).

3.2. No checking for zero address

Severity: low

Description

In the functions setTavernContract and setPowerContract there are no checking for zero address.

Code snippet

3.3. Owner Privileges

Severity: owner privileges

Description

Contract owner allow himself to:

Code snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/6fa70469824d576623a2b54d9ea8f45f

https://gist.github.com/yuriy77k/81aa4579340e7f7c4a4f873a8fac60cb

https://gist.github.com/yuriy77k/1a50c367f311284c34ebd9e8145f8c4e