World Marketplace - Smart Contract Audit Report
Summary
The World team has built a unique platform that combines the best tokenomics of current frictionless yield protocols for instant rewards with the additional benefits of staking in the upcoming marketplace.
We reviewed WORLD's marketplace contracts using code provided to us by the team. We previously audited other parts of the WORLD ecosystem here.
Notes on the Marketplace:
- This contract is a new offering from the WORLD team where users can purchase and exchange goods and services using WORLD tokens.
- Approved merchants can create offerings to offer their products/services, represented as NFTs in the contract.
- Buyers can deposit funds into the contract to purchase an offering.
- The funds deposited will be held in escrow until the buyer releases the funds.
- In the case of a dispute, 'Judges' are appointed to resolve issues. Sellers also have the option of refunding buyers.
- There is a tax charged to sellers when they receive their funds. By default, the tax is 3%.
- Addresses with MerchantRegistrant permission have the ability to set other addresses as Merchants. The team determines which addresses will be granted the MerchantRegistrant role.
- Addresses with JudgeRegistrant permission have the ability to set other addresses as Judges. The team determines which addresses will be granted the JudgeRegistrant role.
- The owner can also set the tax fee percentage, up to a maximum of 10%, and the destination of tax fees.
- Currently, tax percentages can be set with an interval of 1% (1%, 2%, 3%, etc.) due to a division by 100 when calculating the fee. It may be desireable to divide by 1000 instead, so a more precise tax percentage can be provided (0.7%, 1.2%, etc.).
- Given the depth of the inline assembly, usage of the compiler optimizer is required for deployment.
- Solidity 0.8.0 is used, which contains built-in overflow checks; thereby removing the need for SafeMath.
Audit Findings Summary:
- No security issues from outside attackers were identified.
- The team lead has completed KYC with our firm.
- Date: June 5th, 2021.
External Threat Results
Vulnerability Category | Notes | Result |
---|---|---|
Arbitrary Storage Write | N/A | PASS |
Arbitrary Jump | N/A | PASS |
Delegate Call to Untrusted Contract | N/A | PASS |
Dependence on Predictable Variables | N/A | PASS |
Deprecated Opcodes | N/A | PASS |
Ether Thief | N/A | PASS |
Exceptions | N/A | PASS |
External Calls | N/A | PASS |
Flash Loans | N/A | PASS |
Integer Over/Underflow | N/A | PASS |
Multiple Sends | N/A | PASS |
Oracles | N/A | PASS |
Suicide | N/A | PASS |
State Change External Calls | N/A | Pass |
Unchecked Retval | N/A | PASS |
User Supplied Assertion | N/A | PASS |
Critical Solidity Compiler | N/A | PASS |
Overall Contract Safety | PASS |
($) = payable function
# = non-constant function
Int = Internal
Ext = External
Pub = Public
+ [Int] IERC20
- [Ext] totalSupply
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ [Int] IERC165
- [Ext] supportsInterface
+ [Int] IERC721 (IERC165)
- [Ext] balanceOf
- [Ext] ownerOf
- [Ext] safeTransferFrom #
- [Ext] transferFrom #
- [Ext] approve #
- [Ext] getApproved
- [Ext] setApprovalForAll #
- [Ext] isApprovedForAll
- [Ext] safeTransferFrom #
+ [Int] IERC1155 (IERC165)
- [Ext] balanceOf
- [Ext] balanceOfBatch
- [Ext] setApprovalForAll #
- [Ext] isApprovedForAll
- [Ext] safeTransferFrom #
- [Ext] safeBatchTransferFrom #
+ [Lib] Address
- [Int] isContract
- [Int] sendValue #
- [Int] functionCall #
- [Int] functionCall #
- [Int] functionCallWithValue #
- [Int] functionCallWithValue #
- [Int] functionStaticCall
- [Int] functionStaticCall
- [Int] functionDelegateCall #
- [Int] functionDelegateCall #
- [Prv] _verifyCallResult
+ [Lib] SafeERC20
- [Int] safeTransfer #
- [Int] safeTransferFrom #
- [Int] safeApprove #
- [Int] safeIncreaseAllowance #
- [Int] safeDecreaseAllowance #
- [Prv] _callOptionalReturn #
+ [Lib] ECDSA
- [Int] recover
- [Int] recover
- [Int] toEthSignedMessageHash
- [Int] toTypedDataHash
+ EIP712
- [Pub] #
- [Int] _domainSeparatorV4
- [Prv] _buildDomainSeparator
- [Int] _hashTypedDataV4
+ Context
- [Int] _msgSender
- [Int] _msgData
+ Ownable (Context)
- [Pub] #
- [Pub] owner
- [Pub] renounceOwnership #
- modifiers: onlyOwner
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ BaseWorldMarketplace (Ownable)
- [Ext] setJudgeRegistrant #
- modifiers: onlyOwner
- [Ext] setJudge #
- [Ext] setMerchantRegistrant #
- modifiers: onlyOwner
- [Ext] setMerchant #
+ WorldMarketplaceV1 (BaseWorldMarketplace, EIP712)
- [Pub] #
- modifiers: EIP712
- [Int] _releasePaymentToSeller #
- [Ext] payNFTOrder #
- [Ext] payOrder #
- [Ext] releasePayment #
- [Ext] releasePaymentWithMessage #
- [Ext] refundBuyer #
- [Ext] refundBuyerWithMessage #
- [Ext] fileDispute #
- [Ext] resolveDispute #
- [Ext] setTaxRecipient #
- modifiers: onlyOwner
- [Ext] setTaxPercentage #
- modifiers: onlyOwner