VProve - Smart Contract Audit Report
Summary
VProve is creating a new on-chain platform for identity verification via NFTs.
Notes on the Contracts
- The VProve system is set up so anyone can validate the authenticity of accounts belonging to a paticular person or company using on-chain information.
- The protocol achieves this by allowing users to mint NFTs and then input their identifying data, and verify the relationship to the NFT off-chain (such as to a twitter account or website).
- There is a fee associated with registering a new NFT, which can be updated by the team at any time.
- After this verification is complete, the user will be sent the NFT to their address, thereby allowing them to prove their identity in a decentralized manner.
- Users who registered as a company will be able to add members to their company and have that represented on-chain.
- The verification process for confirming a user's identifiying data is performed manaully by the team. Therefore, trust in the team is required as they must actively maintain the project.
- In createPrivateAccount() and createBussinessAccount(), defining _isPrivate as true or false and then passing that variable into _createAccount() is redundant. Instead, the code can simply pass true or false direclty into the _createAccount() function.
- The _createAccount() function checks if the user sent more than required for the registration fee and returns the excess with a .call. This could open the door to reentrancy issues and is not necessecary. Instead, it is advisable to require(msg.value == REGISTRATION_FEE).
- Company.registerAccount() can be declared external instead of public to save a small amount of gas on each call.
- The contracts utilize SafeMath to prevent overflows and conform with the ERC721 NFT standard.
Audit Findings Summary:- No security issues from outside attackers were identified.
- Investing requires placing trust in the project team as they have notable power in the ecosystem.
- Date: April 13th, 2020
External Threat Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | Pass |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
Details: Company Contract
Inheritence Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ [Lib] Counters
- [Int] current
- [Int] increment #
- [Int] decrement #
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Company (Context)
- [Ext] ($)
- [Ext] initialize #
- modifiers: initializer
- [Pub] registerAccount #
- modifiers: onlyOwner
- [Ext] removeAccount #
- modifiers: onlyOwner
- [Ext] updateRole #
- modifiers: onlyOwner
Details: VProof Contract
Inheritence Chart
Function Graph
Functions Overview
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ Context
- [Int] _msgSender
- [Int] _msgData
+ [Int] IERC165
- [Ext] supportsInterface
+ [Int] IERC721 (IERC165)
- [Ext] balanceOf
- [Ext] ownerOf
- [Ext] safeTransferFrom #
- [Ext] transferFrom #
- [Ext] approve #
- [Ext] getApproved
- [Ext] setApprovalForAll #
- [Ext] isApprovedForAll
- [Ext] safeTransferFrom #
+ [Int] IERC721Metadata (IERC721)
- [Ext] name
- [Ext] symbol
- [Ext] tokenURI
+ [Int] IERC721Enumerable (IERC721)
- [Ext] totalSupply
- [Ext] tokenOfOwnerByIndex
- [Ext] tokenByIndex
+ [Int] IERC721Receiver
- [Ext] onERC721Received #
+ ERC165 (IERC165)
- [Pub] #
- [Pub] supportsInterface
- [Int] _registerInterface #
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Lib] EnumerableSet
- [Prv] _add #
- [Prv] _remove #
- [Prv] _contains
- [Prv] _length
- [Prv] _at
- [Int] add #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
- [Int] add #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
- [Int] add #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
+ [Lib] EnumerableMap
- [Prv] _set #
- [Prv] _remove #
- [Prv] _contains
- [Prv] _length
- [Prv] _at
- [Prv] _tryGet
- [Prv] _get
- [Prv] _get
- [Int] set #
- [Int] remove #
- [Int] contains
- [Int] length
- [Int] at
- [Int] tryGet
- [Int] get
- [Int] get
+ [Lib] Strings
- [Int] toString
+ ERC721 (Context, ERC165, IERC721, IERC721Metadata, IERC721Enumerable)
- [Pub] #
- [Pub] balanceOf
- [Pub] ownerOf
- [Pub] name
- [Pub] symbol
- [Pub] tokenURI
- [Pub] baseURI
- [Pub] tokenOfOwnerByIndex
- [Pub] totalSupply
- [Pub] tokenByIndex
- [Pub] approve #
- [Pub] getApproved
- [Pub] setApprovalForAll #
- [Pub] isApprovedForAll
- [Pub] transferFrom #
- [Pub] safeTransferFrom #
- [Pub] safeTransferFrom #
- [Int] _safeTransfer #
- [Int] _exists
- [Int] _isApprovedOrOwner
- [Int] _safeMint #
- [Int] _safeMint #
- [Int] _mint #
- [Int] _burn #
- [Int] _transfer #
- [Int] _setTokenURI #
- [Int] _setBaseURI #
- [Prv] _checkOnERC721Received #
- [Prv] _approve #
- [Int] _beforeTokenTransfer #
+ [Lib] Counters
- [Int] current
- [Int] increment #
- [Int] decrement #
+ [Lib] Clones
- [Int] clone #
- [Int] cloneDeterministic #
- [Int] predictDeterministicAddress
- [Int] predictDeterministicAddress
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ Company (Context)
- [Ext] ($)
- [Ext] initialize #
- modifiers: initializer
- [Pub] registerAccount #
- modifiers: onlyOwner
- [Ext] removeAccount #
- modifiers: onlyOwner
- [Ext] updateRole #
- modifiers: onlyOwner
+ VProve (ERC721, Ownable)
- [Pub] #
- modifiers: ERC721
- [Ext] ($)
- [Int] deployInstance #
- [Ext] createPrivateAccount ($)
- [Ext] createBussinessAccount ($)
- [Int] _createAccount #
- [Ext] getContractEtherBalance
- [Ext] getRegistrationFees
- [Ext] setRegistrationFees #
- modifiers: onlyOwner
- [Ext] withdraw #
- modifiers: onlyOwner
- [Int] isNull