Hacken
Audits
neuralai
[SCA] NeuralAI | Staking & Marketplace | May2024

NeuralAI

Audit name:

[SCA] NeuralAI | Staking & Marketplace | May2024

Date:

Jun 6, 2024

Table of Content

→Introduction

→Audit Summary

→Document Information

→System Overview

→Executive Summary

→Risks

→Findings

→Appendix 1. Severity Definitions

→Appendix 2. Scope

→Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the NeuralAI team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Neural AI is a staking and marketplace project.

title	content
Platform	EVM
Language	Solidity
Tags	Solidity, Staking, Token Sales, ERC-721
Timeline	20/05/2024 - 22/05/2024
Methodology	https://hackenio.cc/sc_methodology→

Review Scope
Repository	https://github.com/GoNeuralAI/neural-staking→
Commit	a315896
Repository	https://github.com/GoNeuralAI/neural-marketplace→
Commit	498a114c

Review Scope
Repository
https://github.com/GoNeuralAI/neural-staking→
Commit
a315896
Repository
https://github.com/GoNeuralAI/neural-marketplace→
Commit
498a114c

Audit Summary

Total9.8/10

Security Score

10/10

Test Coverage

100%

Code Quality Score

10/10

Documentation Quality Score

8/10

9Total Findings

9Resolved

0Accepted

0Mitigated

1critical

1high

2low

5observation

The system users should acknowledge all the risks summed up in the risks section of the report

Document Information

This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

Document
Name	Smart Contract Code Review and Security Analysis Report for NeuralAI
Audited By	Olesia Bilenka
Approved By	Ataberk Yavuzer
Website	https://goneural.ai/→
Changelog	23/05/2024 - Preliminary Report
	31/05/2024 - Final Report

Document
Name
Smart Contract Code Review and Security Analysis Report for NeuralAI
Audited By
Olesia Bilenka
Approved By
Ataberk Yavuzer
Website
https://goneural.ai/→
Changelog
23/05/2024 - Preliminary Report
31/05/2024 - Final Report

System Overview

Neural AI is a staking and marketplace project with the following contracts:

NeuralNft — is an ERC-721 token.

NeuralMarketplace - is an NFT sale contract. It allows users to list their NFTs and set a price, as well as update or withdraw their listings. Additionally, users can purchase NFTs through the contract. When an NFT is bought, a fee is deducted from the sale price, which is defined by the contract owner.

UniSafeERC20 - is a library for the safe transfer of ERC-20 tokens and ETH. It is used in the NeuralMarketplace contract.

NeuralStaking - is a staking smart contract. It allows users to stake their tokens and to earn rewards in the form of the the defined reward token. The contract is responsible for distributing rewards based on the amount of tokens staked and the amount of rewards deposited by the contract owner.

Privileged roles

The Minter role of the NeuralNft contract allows to mint tokens, set base uri and uri of each token, and set minter address.
The owner of the NeuralMarketplace contract can withdraw ERC-20 tokens and ETH from the contract, set supported tokens and the fee.
The owner of the NeuralStaking contract can deposit rewards to the contract.

Executive Summary

Documentation quality

The total Documentation quality score is 8 out of 10.

Functional requirements are provided.
Descriptions of the development environment is provided.
The Natspec comments are not provided.

Code quality

The total Code quality score is 10 out of 10.

The code mostly follows the code structure best practices and official language style guides.
The development environment is configured.

Test coverage

Code coverage of the project is 100% (branch coverage).

The commit for the Staking part tests is 30fe783.
The commit for the Marketplace part tests is 9987dd1.

Security score

Upon auditing, the code was found to contain 1 critical, 1 high, 0 medium, and 2 low severity issues. Out of these, 4 issues have been addressed and resolved, leading to a security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

Summary

The comprehensive audit of the customer's smart contract yields an overall score of 9.8. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

Scoring Methodology

Risks

Centralized Control of Minting Process: The NeuralNft token contract’s design allows for centralized control over the minting process, posing a risk of unauthorized token issuance, potentially diluting the token value and undermining trust in the project's economic governance.

Absence of a Token Burn Mechanism: The project lacks a mechanism to burn NeuralNft tokens, facing challenges in managing supply dynamically, affecting the token's value stability and inflation control.

Owner's Unrestricted State Modification: The absence of restrictions on state variable modifications by the owner leads to arbitrary changes, affecting contract integrity and user trust, especially during critical operations like minting phases.

Findings

Code ―	Title	Status	Severity
F-2024-3257	Underflow Error in Reward Calculation in NeuralStaking Contract	fixed	Critical
F-2024-3261	Incorrect Rewards Calculation in NeuralStaking Contract	fixed	High
F-2024-3258	Unchecked Transfer Results Leading to Deposits Data Inconsistencies	fixed	Low
F-2024-3253	Risk of Ownership Control Loss in Owner-Dependent Contracts	fixed	Low
F-2024-3264	Public Visibility for Externally Only Called Functions Leads to Unnecessary Gas Costs	fixed	Observation
F-2024-3260	Violation of Checks-Effects-Interactions Pattern in the NeuralStaking Project Contract	fixed	Observation
F-2024-3256	Redundant SafeMath library usage	fixed	Observation
F-2024-3255	Misleading Function Name in NeuralMarketplace Contract	fixed	Observation
F-2024-3254	Incorrect Event Emitting for Sale Option Update	fixed	Observation

1-9 of 9 findings

Identify vulnerabilities in your smart contracts.

Appendix 1. Severity Definitions

When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

Reference on how risk scoring is done is available through the repository in our Github organization:

hknio/severity-formula →

Severity	Description
Critical	Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
High	High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Medium	Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Low	Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Severity
Critical
Description
Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
High
Description
High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
Medium
Description
Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
Low
Description
Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

Appendix 2. Scope

The scope of the project includes the following smart contracts from the provided repository:

Scope Details
Repository	https://github.com/GoNeuralAI/neural-staking→
Commit	a315896ada1319940ee7172b9ae2d9106b749e59
Whitepaper	https://docs.goneural.ai/neuralai→

Scope Details
Repository
https://github.com/GoNeuralAI/neural-staking→
Commit
a315896ada1319940ee7172b9ae2d9106b749e59
Whitepaper
https://docs.goneural.ai/neuralai→

Contracts in Scope
./contracts/NeuralStaking.sol

Contracts in Scope
./contracts/NeuralStaking.sol

Scope Details
Repository	https://github.com/GoNeuralAI/neural-marketplace→
Commit	498a114ca7f95c9e0fd707ff02536c4996262f37
Whitepaper	https://docs.goneural.ai/neuralai→

Scope Details
Repository
https://github.com/GoNeuralAI/neural-marketplace→
Commit
498a114ca7f95c9e0fd707ff02536c4996262f37
Whitepaper
https://docs.goneural.ai/neuralai→

Contracts in Scope

contracts

NeuralMarketplace.sol - contracts › NeuralMarketplace.sol

NeuralNft.sol - contracts › NeuralNft.sol

utils.sol - contracts › utils.sol

Disclaimer

Hacken Disclaimer

Technical Disclaimer