Smart Contract Auditing
At Sayfer we are verifying every line of code while having a deep understanding of the architecture using the newest SCSVS standard. In addition to common attacks and best practices, it is important to also understand your own business logic and the idea behind every functionality.
An auditor’s mission is to understand the code, its goal, and what would bad actors will do to take advantage of the contract’s logic. The auditor uses automated tools and manual testing to perform a quality audit.
We performed full grey-box penetration testing on the Centralized Exchange application and white-box security auditing of the Centralized Exchange business logic and code from a cryptocurrency point of view.
The most dangerous vulnerabilities we discovered were SQL injection and flaws in business logic.
The impact on the system is critical as a malicious attacker could exploit some of these vulnerabilities to take advantage of the system, either by changing his user role to “super_user” via the SQL injection or by abusing the system and stealing money from the Centralized Exchange using the 30s system update mechanism.
We suggested to Crypto Exchange a few possible mitigation strategies including avoiding concatenating strings to full SQL statements, using 3rd party custodian services to manage hot wallets and vaults, constantly checking for authorization in every request, and more.
ZenPool - Lending Protocol
ZenPool is an open-source, non-custodial token and lending market protocol. Users can deposit their crypto assets to earn interest or borrow other tokens to pay interest in ZenPool’s market. ZenPool has its own token called ZEN. ZenPool also supports bonds which is another way to increase its treasury.
We performed a full security audit for all ZenPool contracts and we found 3 “high” risk vulnerabilities that could be exploitable by malicious attackers, who could empty the pool’s funds completely.
We found possible exploitation of a contract code that an attacker can use to withdraw more than the max borrow amount, we suggested a correct way to rewrite the code to avoid the vulnerability.
Moreover, we found a vulnerability in the functionality of a contract that allows an unauthorized attacker to call a specific function to transfer ETH from the contract.
We suggested mitigating this vulnerability by allowing specific roles to access specific functions or allowing only owners of contracts to access these.
NFT - FatCats
FatCats is a collection of 5,000 unique NFTs that double as a membership token and as shares of all FatCats holdings. FatCats Contract is an NFT token contract having minting in steps – step1, step2, and public mint. Minting steps are set by the owner.
During the NFT fatcats audit, we found an authentication problem in the reveal process. This vulnerability allowed an attacker to access the NFT metadata before it was revealed and make smart predictions about airdrops or specific minting transactions for rare NFTs. This could potentially let the attacker gain control of the most valuable NFTs in the project.
We suggested to FatCats a few possible mitigation strategies including reducing the time of the reveal and implementing a random NFT airdrop.
We later found the vulnerability is much bigger than just this project and affects 10% of all NFTS (read more about BadReveal NFT exploit on our blog).
Evernow consists of a token and a staking mechanism. Staking with interest will be possible for users who complete the annual online retreat. Vesting in both schemes will be calculated from the end of the cliff.