Audit name:
[SCA] Cryptopia / Bridge / Mar2024
Date:
Apr 12, 2024
Table of Content
Introduction
We express our gratitude to the Cryptopia team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.
Cryptopia, is an innovative blockchain-based game pioneering the future of decentralized, play-to-earn gaming. Cryptopia designed the smart contract OFT-based bridging solution to power the token functionalities.
| title | content |
|---|---|
| Platform | Ethereum, Polygon |
| Language | Solidity |
| Tags | OFT, Fungible Token, Gamify, Bridge |
| Timeline | 15/03/2024 - 11/04/2024 |
| Methodology | https://hackenio.cc/sc_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/cryptopia-com/cryptopia-token-contracts/tree/layerzero→ |
| Commit | e476da911af21a941d2f63b411bd2d943b40338c |
Review Scope
- Commit
- e476da911af21a941d2f63b411bd2d943b40338c
Audit Summary
10/10
92,86%
10/10
10/10
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Smart Contract Code Review and Security Analysis Report for Cryptopia |
| Audited By | Grzegorz Trawinski |
| Approved By | Ataberk Yavuzer |
| Website | https://cryptopia.com/→ |
| Changelog | 19/03/2024 - Preliminary Report |
| 11/04/2024 - Final Report |
Document
- Name
- Smart Contract Code Review and Security Analysis Report for Cryptopia
- Audited By
- Grzegorz Trawinski
- Approved By
- Ataberk Yavuzer
- Website
- https://cryptopia.com/→
- Changelog
- 19/03/2024 - Preliminary Report
- 11/04/2024 - Final Report
System Overview
The solution is an OFT-based bridge between Ethereum and Polygon blockchains. It uses OFT V2 version.
The CryptosToken is an ERC20 token representing the game currency used in Cryptopia. It supports ERC20 tokens retrieval accidentally sent to the contract. It has following characteristics:
Name: Cryptos
Symbol: TOS
Decimals: 18
Supply: 1e28
The CryptosTokenOFTAdapter is an OFTAdapter. It allows the existing token to expand to any supported chain as a native token with a unified global supply, inheriting all the features of the OFT Standard. This works as an intermediary contract that handles sending and receiving tokens that have already been deployed.
The CryptosTokenPolygon is an OFT-based (ERC20) token to be deployed on Polygon blockchain. It supports ERC20 tokens retrieval accidentally sent to the contract. This contract allows to deposit tokens for a user by Polygon Bridge Depositor and withdraw tokens by a user.
Privileged roles
The owner of the CryptosToken contract can retrieve ERC20 tokens sent to the contract.
The owner of the CryptosTokenPolygon contract can retrieve ERC20 tokens sent to the contract. Also, it has access to the OFT privileged actions.
The Polygon Bridge Depositor of the CryptosTokenPolygon contract can mint tokens for a user.
The owner of the CryptosTokenOFTAdapter contract has access to the OFT privileged actions.
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
Code quality
The total Code Quality score is 10 out of 10.
Test coverage
Code coverage of the project is 92.86% (branch coverage).
Security score
Upon auditing, the code was found to contain 0 critical, 0 high, 0 medium, and 1 low severity issues, leading to a security score of 10 out of 10. Upon the retest, all remaining issues were fixed.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's smart contract yields an overall score of 10.0. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Risks
The solutions uses LayerZero, an interoperability protocol, for ERC20 token bridging purposes. Thus, tokens are bridged and minted by the third party privileged entities.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-1538 | Lack of two-step ownership transfer | fixed | Low | |
| F-2024-1559 | Default sharedDecimals() with 6 value is in use | fixed | Observation |
Identify vulnerabilities in your smart contracts.
Appendix 1. Severity Definitions
When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.
Reference on how risk scoring is done is available through the repository in our Github organization:
Severity | Description |
|---|---|
Critical | Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation. |
High | High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation. |
Medium | Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category. |
Low | Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score. |
Severity
- Critical
Description
- Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.
Severity
- High
Description
- High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.
Severity
- Medium
Description
- Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.
Severity
- Low
Description
- Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/cryptopia-com/cryptopia-token-contracts/tree/layerzero→ |
| Commit | e476da911af21a941d2f63b411bd2d943b40338c |
| Whitepaper | N/A |
| Requirements | https://github.com/cryptopia-com/cryptopia-token-contracts/blob/layerzero/docs/Cryptos%20-%20Audit%20Techspec.pdf→ |
| Technical Requirements | https://github.com/cryptopia-com/cryptopia-token-contracts/blob/layerzero/docs/Cryptos%20-%20Audit%20Techspec.pdf→ |
Scope Details
- Commit
- e476da911af21a941d2f63b411bd2d943b40338c
- Whitepaper
- N/A
Contracts in Scope
source/polygon/CryptosTokenPolygon.solsource/errors/AccessErrors.solsource/errors/ArgumentErrors.solsource/infrastructure/CryptopiaTokenRetriever.solsource/ethereum/CryptosTokenOFTAdapter.solsource/ethereum/CryptosToken.sol