{"id":506,"date":"2023-05-23T12:35:49","date_gmt":"2023-05-23T10:35:49","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=506"},"modified":"2024-05-16T12:50:45","modified_gmt":"2024-05-16T10:50:45","slug":"mintdao-cross-chain-nfts-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/mintdao-cross-chain-nfts-audit-summary\/","title":{"rendered":"MintDAO: Cross-chain NFTs audit summary"},"content":{"rendered":"<p><a href=\"https:\/\/mintdao.io\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">MintDAO<\/span><\/a><span style=\"font-weight: 400;\"> is a company that is dedicated to providing advanced cross-chain NFT solutions to the ever-growing NFT market.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">MintDAO engaged Ackee Blockchain to perform a security review of contracts that focus on cross-chain manipulation of NFTs. The total time donation was 3 engineering days in a period between January 30 and February 3, 2023, the audit has been performed on the commit <\/span><strong>5ad4033<\/strong><span style=\"font-weight: 400;\"> (Revision 1.0).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The MintDAO team provided an updated codebase that addresses issues from the <\/span><span style=\"font-weight: 400;\">Revision 1.0<\/span><span style=\"font-weight: 400;\">. On February 19, 2023, Ackee Blockchain reviewed the fixes which were provided in a private repository with the commit <\/span><span style=\"font-weight: 400;\"><strong>784ebac<\/strong>.\u00a0<\/span><\/p>\n<h4><b>METHODOLOGY<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely <\/span><span style=\"font-weight: 400;\">Slither <\/span><span style=\"font-weight: 400;\">and <\/span><span style=\"font-weight: 400;\">Woke<\/span><span style=\"font-weight: 400;\">. We then took a deep dive into the logic of the contracts. Additionally, we implemented cross-chain test using <\/span><a href=\"https:\/\/getwake.io\/\"><span style=\"font-weight: 400;\">Wake testing framework<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring that NFTs can\u2019t be duplicated by cross-chain transfers, \u2022 looking for common issues such as data validation,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">validating the interactions with the Axelar contracts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">validating the correctness of the upgradeability pattern,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring that the contracts follow the architecture recommended by Axelar,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible ERC721 reentrancies in the code,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">testing that cross-chain interactions are working as expected,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring that the owner role can\u2019t be abused or compromised. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/li>\n<\/ul>\n<h4><b>SCOPE\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">We performed <\/span><span style=\"font-weight: 400;\">\u00a0a security review of contracts that focus on cross-chain manipulation of NFTs<\/span><span style=\"font-weight: 400;\">, the audit has been performed on the commit <\/span><strong>5ad4033 <\/strong><span style=\"font-weight: 400;\">\u00a0(Revision 1.0)<\/span><span style=\"font-weight: 400;\">. <\/span><span style=\"font-weight: 400;\">\u00a0Later on, Ackee Blockchain reviewed the fixes which were provided in a private repository with the commit <\/span><strong>784ebac <\/strong><span style=\"font-weight: 400;\">(Revision 1.1).<\/span><\/p>\n<h4><b>FINDINGS<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here we present our <\/span><span style=\"font-weight: 400;\">findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h5><b>Critical severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h5><b>High severity\u00a0<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.<\/span><\/p>\n<h5><b>Medium severity<\/b><\/h5>\n<p><b>M1: <\/b><span style=\"font-weight: 400;\">Two-phase Owner transfer <\/span><\/p>\n<p><b>M2:<\/b><span style=\"font-weight: 400;\"> Lack of data validation in init functions\u00a0<\/span><\/p>\n<p><b>M3: <\/b><span style=\"font-weight: 400;\">Owner Can Cause DoS\u00a0<\/span><\/p>\n<p><b>M4: <\/b><span style=\"font-weight: 400;\">Data Validation in sendNFTs()\u00a0<\/span><\/p>\n<h5><b>Low severity<\/b><\/h5>\n<p><b>L1:<\/b><span style=\"font-weight: 400;\"> Lack of logging <\/span><\/p>\n<p><b>L2:<\/b><span style=\"font-weight: 400;\"> Constructor Without Initializer <\/span><\/p>\n<p><b>L3:<\/b><span style=\"font-weight: 400;\"> Upgradeable Contract Without Storage Gap\u00a0<\/span><\/p>\n<h5><b>Warning severity\u00a0<\/b><\/h5>\n<p><b>W1:<\/b><span style=\"font-weight: 400;\"> Usage of <\/span><span style=\"font-weight: 400;\">solc <\/span><span style=\"font-weight: 400;\">optimizer <\/span><\/p>\n<p><b>W2:<\/b><span style=\"font-weight: 400;\"> Owner role can be renounced <\/span><\/p>\n<p><b>W3: <\/b><span style=\"font-weight: 400;\">Exposure of sensitive data\u00a0<\/span><\/p>\n<p><b>W4:<\/b><span style=\"font-weight: 400;\"> Floating pragma<\/span><\/p>\n<p><b>W5:<\/b><span style=\"font-weight: 400;\"> Inconsistency of safeMint And transferFrom\u00a0<\/span><\/p>\n<h5><b>Informational severity <\/b><\/h5>\n<p><b>I1: <\/b><span style=\"font-weight: 400;\">Abstract Contract Named As Interface\u00a0<\/span><\/p>\n<h4><b>CONCLUSION<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our review resulted in <\/span><b>13<\/b><span style=\"font-weight: 400;\"> findings, ranging from <\/span><i><span style=\"font-weight: 400;\">Info<\/span><\/i><span style=\"font-weight: 400;\"> to <\/span><i><span style=\"font-weight: 400;\">Medium<\/span><\/i><span style=\"font-weight: 400;\"> severity.\u00a0<\/span><\/p>\n<p><b>We recommended MintDAO to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">pay more attention to data validation,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/li>\n<\/ul>\n<p><b>Update: <\/b><span style=\"font-weight: 400;\">The MintDAO team provided an updated codebase that addresses issues from the <\/span><span style=\"font-weight: 400;\">Revision 1.0<\/span><span style=\"font-weight: 400;\">. We consider the fixes to be well-implemented. Some of the issues were not intentionally addressed,\u00a0 and are marked as \u2018acknowledged\u2019.<\/span><b><br \/>\n<\/b><b>\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit<\/span><b> MintDAO<\/b><span style=\"font-weight: 400;\"> and look forward to working with them again.<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MintDAO is a company that is dedicated to providing advanced cross-chain NFT solutions to the ever-growing NFT market. MintDAO engaged Ackee Blockchain to perform a security review of contracts that focus on cross-chain manipulation of NFTs. The total time donation was 3 engineering days in a period between January 30 and February 3, 2023, the audit has been performed on the commit&hellip;<\/p>\n","protected":false},"author":15,"featured_media":507,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,103],"tags":[21,89,121,104],"class_list":["post-506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake","tag-audit","tag-audit-summary","tag-mintdao","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/Mintdao-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/05\/Mintdao-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=506"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/506\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/507"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}