NaftyArt - Smart Contract Audit Report
Summary
Nafty is building an NFT auctioning marketplace on the Binance Smart Chain.
For this audit, we reviewed the project team's contract at 0xc753316ee782030C2E898e0bbacFB1DbAC31eaA7 on the Binance Smart Chain.
Notes on the Contracts:Audit Findings Summary:
- This contract allows users to mint, auction off, and bid on Nafty NFT tokens.
- Users have the ability to mint Nafty NFTs to themselves at anytime, for free (after gas fees).
- Users can list their NFT for a specified price with a simple auction, or start a custom-timed auction in which the highest bidder will receive the NFT after auction expiration.
- When creating an auction, users will also provide an ERC20 token address to decide the auction's payment, or the 0 address to indicate BNB as the payment.
- When bidding on an auction, a user must bid a certain amount more than the current price. This amount can be changed by the contract owner at any time.
- When a user bids on a timed auction, their bid tokens will be stored in the contract and will be returned to the user if a higher bid is made.
- Once an auction has expired, anyone can trigger the exchange of the NFT between the seller and the highest bidder. The seller will have a system fee and a creator fee taken out of the final price. The system fee goes to the project team and the creator fee goes to the original creator of the NFT.
- Both the system and creator fee start at 5%, but can be changed at any time by the owner.
- The owner can burn any NFT at anytime.
- The owner can recover any BNB erroneously sent to the contract.
- Note that the some variables should be declared constant for gas saving purposes.
- Note that many functions can be declared external for gas saving purposes.
- Solidity v0.8.x is used across all contracts to prevent overflows.
- No security issues from outside attackers were identified.
- Ensure trust in the team as they have substantial control in the ecosystem.
- Date: September 7th, 2021.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
($) = payable function
# = non-constant function
+ [Int] ILiquidityPool
- [Ext] unlock #
- [Ext] send #
- [Ext] setLockupPeriod #
- [Ext] totalBalance
+ [Int] IBNBLiquidityPool (ILiquidityPool)
- [Ext] lock ($)
+ [Int] IBufferOptions
- [Ext] options
+ [Int] IBufferStaking
- [Ext] claimProfit #
- [Ext] buy #
- [Ext] sell #
- [Ext] profitOf
+ [Int] IBufferStakingBNB (IBufferStaking)
- [Ext] sendProfit ($)
+ [Int] IBufferStakingIBFR (IBufferStaking)
- [Ext] sendProfit #
+ [Int] IAccessControl
- [Ext] hasRole
- [Ext] getRoleAdmin
- [Ext] grantRole #
- [Ext] revokeRole #
- [Ext] renounceRole #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Lib] Strings
- [Int] toString
- [Int] toHexString
- [Int] toHexString
+ [Int] IERC165
- [Ext] supportsInterface
+ ERC165 (IERC165)
- [Pub] supportsInterface
+ AccessControl (Context, IAccessControl, ERC165)
- [Pub] supportsInterface
- [Pub] hasRole
- [Int] _checkRole
- [Pub] getRoleAdmin
- [Pub] grantRole #
- modifiers: onlyRole
- [Pub] revokeRole #
- modifiers: onlyRole
- [Pub] renounceRole #
- [Int] _setupRole #
- [Int] _setRoleAdmin #
- [Prv] _grantRole #
- [Prv] _revokeRole #
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC20Metadata (IERC20)
- [Ext] name
- [Ext] symbol
- [Ext] decimals
+ ERC20 (Context, IERC20, IERC20Metadata)
- [Pub] #
- [Pub] name
- [Pub] symbol
- [Pub] decimals
- [Pub] totalSupply
- [Pub] balanceOf
- [Pub] transfer #
- [Pub] allowance
- [Pub] approve #
- [Pub] transferFrom #
- [Pub] increaseAllowance #
- [Pub] decreaseAllowance #
- [Int] _transfer #
- [Int] _mint #
- [Int] _burn #
- [Int] _approve #
- [Int] _beforeTokenTransfer #
- [Int] _afterTokenTransfer #
+ BufferBNBPool (AccessControl, ERC20, IBNBLiquidityPool)
- [Pub] #
- [Ext] setLockupPeriod #
- [Ext] revertTransfersInLockUpPeriod #
- [Ext] provide ($)
- [Ext] withdraw #
- [Ext] lock ($)
- [Ext] unlock #
- [Ext] send #
- [Ext] shareOf
- [Pub] availableBalance
- [Pub] totalBalance
- [Int] _beforeTokenTransfer #
- [Pub] fullMul
- [Pub] mulDiv
- [Int] divCeil
+ [Int] IERC721 (IERC165)
- [Ext] balanceOf
- [Ext] ownerOf
- [Ext] safeTransferFrom #
- [Ext] transferFrom #
- [Ext] approve #
- [Ext] getApproved
- [Ext] setApprovalForAll #
- [Ext] isApprovedForAll
- [Ext] safeTransferFrom #
+ [Int] IERC721Receiver
- [Ext] onERC721Received #
+ [Int] IERC721Metadata (IERC721)
- [Ext] name
- [Ext] symbol
- [Ext] tokenURI
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Int] verifyCallResult
+ ERC721 (Context, ERC165, IERC721, IERC721Metadata)
- [Pub] #
- [Pub] supportsInterface
- [Pub] balanceOf
- [Pub] ownerOf
- [Pub] name
- [Pub] symbol
- [Pub] tokenURI
- [Int] _baseURI
- [Pub] approve #
- [Pub] getApproved
- [Pub] setApprovalForAll #
- [Pub] isApprovedForAll
- [Pub] transferFrom #
- [Pub] safeTransferFrom #
- [Pub] safeTransferFrom #
- [Int] _safeTransfer #
- [Int] _exists
- [Int] _isApprovedOrOwner
- [Int] _safeMint #
- [Int] _safeMint #
- [Int] _mint #
- [Int] _burn #
- [Int] _transfer #
- [Int] _approve #
- [Prv] _checkOnERC721Received #
- [Int] _beforeTokenTransfer #
+ ERC721Burnable (Context, ERC721)
- [Pub] burn #
+ [Int] IERC721Enumerable (IERC721)
- [Ext] totalSupply
- [Ext] tokenOfOwnerByIndex
- [Ext] tokenByIndex
+ ERC721Enumerable (ERC721, IERC721Enumerable)
- [Pub] supportsInterface
- [Pub] tokenOfOwnerByIndex
- [Pub] totalSupply
- [Pub] tokenByIndex
- [Int] _beforeTokenTransfer #
- [Prv] _addTokenToOwnerEnumeration #
- [Prv] _addTokenToAllTokensEnumeration #
- [Prv] _removeTokenFromOwnerEnumeration #
- [Prv] _removeTokenFromAllTokensEnumeration #
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
- [Prv] _setOwner #
+ [Int] AggregatorV3Interface
- [Ext] decimals
- [Ext] description
- [Ext] version
- [Ext] getRoundData
- [Ext] latestRoundData
+ BaseBufferBNBOptions (IBufferOptions, Ownable, ERC721, ERC721Enumerable, ERC721Burnable, AccessControl)
- [Pub] #
- modifiers: ERC721
- [Ext] setImpliedVolRate #
- modifiers: onlyOwner
- [Ext] setSettlementFeePercentage #
- modifiers: onlyOwner
- [Ext] setSettlementFeeRecipient #
- modifiers: onlyOwner
- [Ext] setStakingFeePercentage #
- modifiers: onlyOwner
- [Ext] setReferralRewardPercentage #
- modifiers: onlyOwner
- [Ext] setOptionCollaterizationRatio #
- modifiers: onlyOwner
- [Int] _create #
- [Int] distributeSettlementFee #
- [Pub] fees
- [Int] getPeriodFee
- [Int] getStrikeFee
- [Int] getSettlementFee
- [Int] createOptionFor #
- [Int] _baseURI
- [Int] _beforeTokenTransfer #
- [Pub] supportsInterface
- [Int] sqrt
+ BufferBNBPredictions (BaseBufferBNBOptions)
- [Pub] #
- modifiers: BaseBufferBNBOptions
- [Pub] optionDetails
- [Ext] create ($)
- [Pub] execute #
- [Ext] executeAll #
- [Int] _transfer #