Q1 2026 Security & Compliance Report44 incidents, $482M in losses, insights from 11 industry leaders.
Read the report

JunkYard

Audit name:

[SCA] JunkYard | ERC721 | Mar2023

Date:

Mar 2, 2023

Table of Content

Introduction
Audit Summary
Document Information
System Overview
Executive Summary
Risks
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the JunkYard team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Junkyard is a “dump to earn” platform where users can dump their useless NFT in exchange for native tokens (Junkcoin). Users can pay (in ETH) to “fish” one or multiple of these NFT and choose one of them to claim.

titlecontent
PlatformEthereum, Polygon
LanguageSolidity
TagsERC721
Timeline20/11/2022 - 01/03/2023
Methodologyhttps://hackenio.cc/sc_methodology

    Review Scope

    Repositoryhttps://github.com/BlackMagicCorp/jkd-contracts
    Commit7f018433e5e8370913abcabda2fcb89559388231

    Audit Summary

    Total9.8/10
    Security Score

    10/10

    Test Coverage

    100%

    Code Quality Score

    10/10

    Documentation Quality Score

    8/10

    26Total Findings
    23Resolved
    0Accepted
    3Mitigated

    The system users should acknowledge all the risks summed up in the risks section of the report

    Document Information

    This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.

    The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.

    Document

    NameSmart Contract Code Review and Security Analysis Report for JunkYard
    Audited ByHacken
    Websitehttps://junkyard.wtf/
    Changelog24/11/2022 – Initial Review
    01/02/2023 - Second Review
    16/02/2023 - Third Review
    01/03/2023 - Fourth Review

    • Document

      Name
      Smart Contract Code Review and Security Analysis Report for JunkYard
      Audited By
      Hacken
      Website
      https://junkyard.wtf/
      Changelog
      24/11/2022 – Initial Review
      01/02/2023 - Second Review
      16/02/2023 - Third Review
      01/03/2023 - Fourth Review

    System Overview

    Junkyard is a “dump to earn” platform where users can dump their useless NFT in exchange for native tokens (Junkcoin). Users can pay (in ETH) to “fish” one or multiple of these NFT and choose one of them to claim.

    It includes the following contracts:

    • Junkyard.sol - A contract where the users can interact to fish and claim NFT. It will then be bridged to Polygon contracts. This contract is on Ethereum.

    • JunkYardManager.sol - A contract where all the logic and processes are done. This contract is on Polygon to reduce costs.

    • JunkyardStorage.sol - A contract (on Ethereum) where the NFT are stored. Users can dump them here and receive them from here.

    Privileged roles

    • The owner of Junkyard.sol can set new prices, set the manager address and chain, the storage address and chain, pause/unpause the contract.

    • The owner of JunkyardStorage.sol can set the manager address and chain.

    • The owner of JunkyardManager.sol can set Junkyard address and chain, set storage address and chain, set poop address and chain.

    • Tha Admin role of JunkyardManager.sol can register a new token, register a new fishing attempt and register a collection.

    Executive Summary

    Documentation quality

    The total Documentation quality score is 8 out of 10.

    • A lite paper is provided with global functionalities.

    • Technical description is provided in ReadMe.

    • NatSpec should be generated into contract documentation published on the website.

    • The lite paper documents functionalities that are not implemented (JunkCoin launch, JunkCoin rewards, the Great Burn).

    Code quality

    The total Code quality score is 10 out of 10.

    • Solidity official style guidelines are followed perfectly.

    • The development environment is configured.

    Test coverage

    Code coverage of the project is 100% (branch coverage).

    • The code is well covered with tests.

    • Only one negative case coverage is missing.

    • Interactions by several users are not tested thoroughly.

    Security score

    Upon auditing, the code was found to contain 3 critical, 6 high, 3 medium, and 14 low severity issues. Out of these, 23 issues have been addressed and resolved, leading to a security score of 10 out of 10.

    All identified issues are detailed in the “Findings” section of this report.

    Summary

    The comprehensive audit of the customer's smart contract yields an overall score of 9.8. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

    Scoring Methodologyarrow right

    Risks

    Some functionalities depend on out-of-scope off-chain management. These contracts do not provide any guarantees to users who interact with them.

    The Junkcoin rewards for NFT dumping functionality described in the litepaper is not implemented in the code yet. The coin itself is not implemented yet. There is no insurance that they will be in the future.

    The “Great Burn” functionality described in the litepaper is not implemented in the code yet. There is no insurance that it will be in the future.

    The DAO described in the litepaper is not implemented in the code yet. There is no insurance that it will be in the future.

    The dump process and the fishing process rely on the junkbot, which is an off-chain management system. This off-chain system needs to be audited separately as it is not in the scope of this audit.

    Without the junkbot, this smart contracts system can not work independently.

    The project uses Axelar as a gateway between Ethereum contracts and Polygon contracts. However, Axelar contracts are not in the scope of this audit.

    The function registerCollection loops on an array provided as a parameter by the owner. If the size of this array is not handled correctly, this can lead to a Gas limit excess. The owner should take it into account when calling this function.

    Findings

    Code
    Title
    Status
    Severity
    F-2023-1045Requirements Violation
    mitigated

    Critical
    F-2023-1044Requirements Violation
    fixed

    Critical
    F-2023-1043 Highly Permissive Role Access
    fixed

    Critical
    F-2023-105Data Consistency - Denial Of Service
    fixed

    High
    F-2023-105Highly Permissive Role Access
    fixed

    High
    F-2023-104Data Consistency
    fixed

    High
    F-2023-104Data Consistency
    fixed

    High
    F-2023-1047Requirements Violation
    mitigated

    High
    F-2023-1046Highly Permissive Role Access - Requirements Violation
    mitigated

    High
    F-2023-105Missing Event for Critical Value Updation
    fixed

    Medium
    1-10 of 26 findings

    Identify vulnerabilities in your smart contracts.

    Appendix 1. Severity Definitions

    When auditing smart contracts, Hacken is using a risk-based approach that considers Likelihood, Impact, Exploitability and Complexity metrics to evaluate findings and score severities.

    Reference on how risk scoring is done is available through the repository in our Github organization:

    Severity

    Description

    Critical
    		Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

    High
    		High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

    Medium
    		Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

    Low
    		Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    • Severity

      Critical

      Description

      Critical vulnerabilities are usually straightforward to exploit and can lead to the loss of user funds or contract state manipulation.

      Severity

      High

      Description

      High vulnerabilities are usually harder to exploit, requiring specific conditions, or have a more limited scope, but can still lead to the loss of user funds or contract state manipulation.

      Severity

      Medium

      Description

      Medium vulnerabilities are usually limited to state manipulations and, in most cases, cannot lead to asset loss. Contradictions and requirements violations. Major deviations from best practices are also in this category.

      Severity

      Low

      Description

      Major deviations from best practices or major Gas inefficiency. These issues will not have a significant impact on code execution, do not affect security score but can affect code quality score.

    Appendix 2. Scope

    The scope of the project includes the following smart contracts from the provided repository:

    Scope Details

    Repositoryhttps://github.com/BlackMagicCorp/jkd-contracts
    Commit7f018433e5e8370913abcabda2fcb89559388231
    WhitepaperProvided
    RequirementsProvided
    Technical RequirementsProvided

    Contracts in Scope

    contracts
    Junkyard.sol - contracts › Junkyard.sol
    JunkyardManager.sol - contracts › JunkyardManager.sol
    JunkyardStorage.sol - contracts › JunkyardStorage.sol

    Disclaimer