CumRocketNFT - Smart Contract Audit Report

Summary

CumRocketNFT Audit Report CumRocket is building an NFT marketplace on the Binance Smart Chain.

For this audit, we reviewed the project team's Master and ModelCollection contracts at 0xAd84075a5fBEfdE8e95200d6d60eb0bfB4f6dbeb on the Binance Smart Chain testnet.

Notes on the Contracts:
  • Verified addresses that do not currently have a Collection will be able to create a new Model Collection; the owner or any admin is able to add an address to a list of verified models at any time.
  • The user provides various attributes, as well as a referrer address if desired, in order to initialize a new Model Collection.
  • The owner of a Model Collection will be able to add NFTs to their collection and set the purchasing token, as long as the purchasing token is a BEP20 token approved by the platform.
  • The owner of a Model Collection is also responsible for specifying the mint limit of the NFT and the URI which consists of the NFT data.
  • NFTs may be purchased until the mint limit is reached.
  • Part of the purchaser’s payment will be sent to a referrer wallet address specified by the creator of the Model Collection as long as the purchase time is within the referral window.
  • The referrer fee percentage is fixed at the time of initialization of the Model Collection and cannot be changed.
  • Another part of the purchaser’s payment will be sent to the platform.
  • The platform fee percentage is dynamically derived as the difference between the current platform fee percentage and the Model Collection’s set referral fee percentage.
  • Platform fees that are paid in the platform’s own token are sent to the project team’s Farm Contract; otherwise they will go to the platform team’s fee collection wallet.
  • The remaining part of the purchaser’s payment will be sent to the seller of the NFT.
  • On successful purchase, the NFT is minted to the purchaser’s address.

  • The Master contract is used to provide administrative control over the platform.
  • The owner is able to add and remove any admins at any time.
  • The owner is able to add and remove any valid BEP20 token to the list of accepted payment tokens at any time.
  • The owner or any admin is able to blacklist or unblacklist any model address at any time.
  • The owner is able to set the platform fee to any value up to 15% at any time, as long as it is greater than the referrer fee.
  • The owner is able to set the referrer fee to any value less than the platform fee at any time.
  • The owner is able to set the referral duration to any value at any time.
  • The owner is able to transfer ownership at any time.
  • The owner of the platform is able to set a Model Collection’s referrer address to any address at any time.
  • Blacklisted users will not be able to use this platform; the owner or any admin is able to blacklist or unblacklist any model address at any time.

  • Solidity v0.8.x is used across all contracts to prevent overflows.
Audit Findings Summary:
  • No security issues from outside attackers were identified.
  • The platform should not be used with ERC-777 tokens to prevent re-entrancy issues. This is uncommon.
  • Ensure trust in the team as they have substantial control in the ecosystem.
  • Date: July 2nd, 2021.

Audit Results

Vulnerability CategoryNotesResult
Arbitrary Storage WriteN/APASS
Arbitrary JumpN/APASS
Delegate Call to Untrusted ContractN/APASS
Dependence on Predictable VariablesN/APASS
Deprecated OpcodesN/APASS
Ether ThiefN/APASS
ExceptionsN/APASS
External CallsN/APASS
Integer Over/UnderflowN/APASS
Multiple SendsN/APASS
SuicideN/APASS
State Change External CallsN/APass
Unchecked RetvalN/APASS
User Supplied AssertionN/APASS
Critical Solidity CompilerN/APASS
Overall Contract Safety PASS

Smart Contract Graph

Contract Inheritance


 ($) = payable function
 # = non-constant function
 
 Int = Internal
 Ext = External
 Pub = Public
 
 + [Int] IBEP20 
    - [Ext] totalSupply
    - [Ext] decimals
    - [Ext] symbol
    - [Ext] name
    - [Ext] getOwner
    - [Ext] balanceOf
    - [Ext] transfer #
    - [Ext] allowance
    - [Ext] approve #
    - [Ext] transferFrom #

 + [Int] IPlatformMaster 
    - [Ext] getPlatformFee
    - [Ext] getPlatformOwner
    - [Ext] getFeeSplitter
    - [Ext] getPaymentTokens
    - [Ext] modelIsBlacklisted
    - [Ext] getFarmAddress
    - [Ext] getMainToken
    - [Ext] getModelContract
    - [Ext] logReferralPay #
    - [Ext] logTransferNft #
    - [Ext] logAddNft #
    - [Ext] logPurchaseNft #

 + [Lib] Counters 
    - [Int] current
    - [Int] increment #
    - [Int] decrement #

 + [Int] IERC165 
    - [Ext] supportsInterface

 + [Int] IERC721 (IERC165)
    - [Ext] balanceOf
    - [Ext] ownerOf
    - [Ext] safeTransferFrom #
    - [Ext] transferFrom #
    - [Ext] approve #
    - [Ext] getApproved
    - [Ext] setApprovalForAll #
    - [Ext] isApprovedForAll
    - [Ext] safeTransferFrom #

 + [Int] IERC721Receiver 
    - [Ext] onERC721Received #

 + [Int] IERC721Metadata (IERC721)
    - [Ext] name
    - [Ext] symbol
    - [Ext] tokenURI

 + [Lib] Address 
    - [Int] isContract
    - [Int] sendValue #
    - [Int] functionCall #
    - [Int] functionCall #
    - [Int] functionCallWithValue #
    - [Int] functionCallWithValue #
    - [Int] functionStaticCall
    - [Int] functionStaticCall
    - [Int] functionDelegateCall #
    - [Int] functionDelegateCall #
    - [Prv] _verifyCallResult

 +  Context 
    - [Int] _msgSender
    - [Int] _msgData

 + [Lib] Strings 
    - [Int] toString
    - [Int] toHexString
    - [Int] toHexString

 +  ERC165 (IERC165)
    - [Pub] supportsInterface

 +  ERC721 (Context, ERC165, IERC721, IERC721Metadata)
    - [Pub]  #
    - [Pub] supportsInterface
    - [Pub] balanceOf
    - [Pub] ownerOf
    - [Pub] name
    - [Pub] symbol
    - [Pub] tokenURI
    - [Int] _baseURI
    - [Pub] approve #
    - [Pub] getApproved
    - [Pub] setApprovalForAll #
    - [Pub] isApprovedForAll
    - [Pub] transferFrom #
    - [Pub] safeTransferFrom #
    - [Pub] safeTransferFrom #
    - [Int] _safeTransfer #
    - [Int] _exists
    - [Int] _isApprovedOrOwner
    - [Int] _safeMint #
    - [Int] _safeMint #
    - [Int] _mint #
    - [Int] _burn #
    - [Int] _transfer #
    - [Int] _approve #
    - [Prv] _checkOnERC721Received #
    - [Int] _beforeTokenTransfer #

 +  ModelCollection (ERC721)
    - [Pub]  #
       - modifiers: ERC721
    - [Ext] initialize #
       - modifiers: lockInitializer
    - [Pub] name
    - [Ext] addNft #
       - modifiers: onlyModel,checkBlacklist
    - [Ext] tokennftId
    - [Ext] purchaseNft #
       - modifiers: checkBlacklist
    - [Ext] overrideReferrer #
       - modifiers: onlyPlatformOwner
    - [Int] mintNFT #
    - [Int] setTokennftId #
    - [Int] setTokenURI #
    - [Int] distributeFee #
    - [Pub] tokenURI
    - [Int] _transfer #

 +  Master (IPlatformMaster)
    - [Pub]  #
    - [Ext] addAdmin #
       - modifiers: onlyOwner
    - [Ext] removeAdmin #
       - modifiers: onlyOwner
    - [Ext] addPaymentToken #
       - modifiers: onlyOwner
    - [Ext] removePaymentToken #
       - modifiers: onlyOwner
    - [Ext] getPaymentTokens
    - [Ext] blacklist #
       - modifiers: onlyAdmin
    - [Ext] unBlacklist #
       - modifiers: onlyAdmin
    - [Ext] modelIsBlacklisted
    - [Ext] setPlatformFee #
       - modifiers: onlyOwner
    - [Ext] setReferrerFee #
       - modifiers: onlyOwner
    - [Ext] setFarmAddress #
       - modifiers: onlyOwner
    - [Ext] getFarmAddress
    - [Ext] setMainToken #
       - modifiers: onlyOwner
    - [Ext] getMainToken
    - [Ext] setReferralDuration #
       - modifiers: onlyOwner
    - [Ext] getPlatformFee
    - [Ext] getPlatformOwner
    - [Ext] transferOwnership #
       - modifiers: onlyOwner
    - [Ext] getFeeSplitter
    - [Ext] setFeeSplitter #
       - modifiers: onlyOwner
    - [Ext] verifyModel #
       - modifiers: onlyAdmin
    - [Ext] getModelContract
    - [Ext] newCollectionContract #
    - [Ext] logReferralPay #
       - modifiers: onlyChildContract
    - [Ext] logTransferNft #
       - modifiers: onlyChildContract
    - [Ext] logAddNft #
       - modifiers: onlyChildContract
    - [Ext] logPurchaseNft #
       - modifiers: onlyChildContract