Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Smart Contract Audit for WOM Protocol

Smart Contract Audit for WOM Protocol

Share via:

About WOM Protocol

Client: WOM Protocol
Business Segment: Digital Advertising Market

Our client WOM Protocol (WOM) is a Ethereum-based MarTech solution empowering brands to leverage genuine word-of-mouth recommendations. WOM Protocol and its native WOM Token want to give brands access to genuine word-of-mouth suggestions and reward creators for their product-referring content without compromising consumer trust in the content and its creators.

WOM is creating a decentralized ecosystem with incentive mechanisms that align individual and mutual interests. With no central authority, the ultimate goal of WOM Protocol is to be equally owned by everyone participating in the protocol through receiving, using, or holding WOM Tokens. Thus, smart contracts play a vital role in WOM’s mission.

Smart Contract Use in WOM Protocol

In WOM’s case, smart contracts measure the engagement with each piece of content and subsequently reward involved parties (content creators, authenticators, and platforms).

Running on Ethereum, WOM Token, has a reward mechanism for encouraging production of WOM content without the need for a brand to pay a central company for access to the content. Smart contracts define the emission and distribution pattern. Furthermore, smart contracts enable information sharing across platforms because every interface is connected to the same smart contracts.

Therefore, secure and reliable smart contracts are the backbone of WOM Protocol.

Hacken Cybersecurity Services

Solution: Smart Contract Audit
Final Score: 9.1/10
Platform: EVM
Language: Solidity
Timeline: 18 July, 2022 – 5 Aug, 2022

WOM Protocol approached Hacken with the task of reviewing their smart contract code called Bullz Challenge Contract located in this GitHub repository. Bullz Challenge Contract is a simple contract that allows creating NFT airdrops – the owner creates a challenge and takes a fee. The main contract, Exchange Challenge, has the following features:

add challenge providing all parameters;
airdrop challenge providing winners;
take back assets that weren’t airdropped;
Update fee and fee token by owner.

How the audit unfolded?

The full audit was completed in three reviews including the initial review. During the initial review, our auditors found two critical issues: “inconsistent data flow” and “user may pay no fees”. Critical vulnerabilities are usually straightforward to exploit and can lead to asset loss or data manipulations.

1. Inconsistent data flow. In the function addChallenge located in ./ExchangeChallenge.sol, our auditors found that any user was able to create a new challenge with the same challengeId to rewrite the challenge configuration. This issue was possible because challengeId was processed as a parameter to the addChallenge function. Our recommendation was to implement a counter of challenges and use the last index to insert challenges consequently. The client fixed this critical issue before the second review.

2. User may pay no fees. In the function airdropChallenge located in the same file, Hacken auditors also found that sellers were able to create the challenge without paying fees. This issue was possible because the submissionLimit parameter was never validated and could be assigned to zero. Our recommendation was to implement a counter of accepted submissions and check that it does not exceed submissionLimit. Once again, WOM Protocol developers followed our recommendation.

Auditor about detected vulnerabilities

In my opinion, both critical issues are interesting:
The essence of the first is that because the challenge ID was set as a parameter, anyone could create a challenge with an already existing ID and thus delete the previous challenge. The essence of the second is that the number of possible winners did not correspond to the amount of commission paid, and thus it was possible to create a challenge for free. Both issues were fixed and now everything is fine.
Stepan Chekhovskoi, Smart Contract Auditor

During the initial review, Hacken auditors also found four High and four Medium vulnerabilities in the smart contracts. High-severity issues are difficult to exploit, but also have a significant impact on smart contract execution. Three of four high-severity issues were requirement violations in the addChallenge, airdropChallenge, and withdrawChallenge functions. The fourth challenge was ERC1155 double spending found in airdropChallenge function. It’s worth mentioning that WOM Protocol has followed through all recommendations from Hacken auditors and fixed all High and Medium severity issues, in addition to fixing the majority of Low-severity issues.

Hacken Assessment

Overall, the final score for their smart contract after fixing all the issues found by Hacken was 9.1/10. This is a really impressive result, especially considering 10 out of 10 for the security issues, which suggests that WOM Protocol now has robust security. Now, their smart contract will provide security for the WOM Token, which operates as a value creation incentive to set and maintain stable value creation within the WOM Ecosystem.