ScratchCertikAudit v2

NEW YORK, 18/03/2021 — We are excited to announce that the Scratch NFT platform has been successfully audited by CertiK. In summary, no critical issues have been found within the project and all other findings have either been resolved or mitigated.

Use-case Profile

Scratch is an NFT research, valuation, and loan platform that aims to standardize the market value of NFTs by leveraging data sets of information from multiple sources.

Accurate NFT valuation, storage, loans, and APIs are the key use cases for Scratch which are achieved via its in-house designed proprietary engine.

Users will be able to request a valuation of an NFT in real-time, secure loans at the back of valuation with their NFTs as collateral, and securely store their NFTs within the Scratch vault.

Anything that is stored in the vault is insured to mitigate any loss of value.

Third-party consumers can use Scratch engine services via application programming interfaces (APIs) built within the engine.

Code Review And Auditing Process

A formal review has been undertaken by CertiK’s professional services team with a detailed examination of smart contracts, transactional functions, compiler and software versions, security vulnerabilities, and system validations.

  • Smart Contract: Test smart contracts for both common and uncommon attack vectors.
  • Code Review: Line by line manual review of entire Scratch engine code to detect any security / scalability / stability issues.
  • Compliance: Compliance assessment utilizing formal verification techniques, brainstorming sessions, and comparative assessment against industry standards.
  • Functional Review: Formal review to ensure the functions within the codebase meets specifications and the best intentions of end clients.
  • Issue Resolution: Formal issue logging and reporting to Scratch team with documented responses from the team including re-review of agreed resolutions.

Audit Feedback

The CertiK audit indicated NO ‘Critical’ issues.

A total of 12 findings were reported including 7 Informational findings (Resolved), 3 Minor (Acknowledged), 1 Medium (Resolved), and 1 Major (Mitigated).

With the resolutions and mitigations provided, the project is deemed as secure to progress ahead with its phased launch plans to the public.

Scratch Engine CertiK audit findings. [Sourced directly from skyharbor.certik.com]

Notable Recommendations (Major Finding)

The only notable recommendation was to mitigate a potential centralization risk identified within the Scratch token system. The only recommended permanent resolution was for Scratch Engine to renounce all ownership, with no ability to reclaim, which is an unacceptable non-starter as the team needs to retain control in order to deliver on the project.

Many smart blockchain contracts require certain privileged functions that only the owner or creators of the contracts can execute. Any account that has the ability to execute powerful functions, is inherently a risk to the project if that account is compromised (intentionally or unintentionally).

The Scratch Engine team has mitigated this potential risk by implementing a multi-sig authorization on its Gnosis Safe, which requires multiple approvals for any transaction.

Furthermore, Scratch Engine has included the owner wallets in Scratch Engine smart contract, which can be viewed publicly on Etherscan. As the contract stipulates, owner wallets are locked for 6 months, at which point they will vest 10% per month thereafter until fully distributed. Furthermore, owner wallets aren’t distributed directly, but rather to a multi-sig wallets, which adds another layer of protection to the project by not subjecting the project to any of the owner wallets directly.

Lastly, below is the list of owner wallets, hereby published publicly:

Founder Wallet 1

0x272256a91cD6D51584F4BfA4DE2f4Dfd4BcD3a57

Founder Wallet 1 Signers

0xFd5298A990B962406C52bb4526b1B1D01Ed69De0

0xDbfd7D961D57A95b8B12732F4A5C680eEc974207

0xB6743305f67202666dAd0FF02bCE276b4fC25cFf

Founder Wallet 2

0x02c856c3252C41d4c0424Ea82d56503062E8dB4a

Founder Wallet 2 Signers

0xFd5298A990B962406C52bb4526b1B1D01Ed69De0

0xDbfd7D961D57A95b8B12732F4A5C680eEc974207

0xB6743305f67202666dAd0FF02bCE276b4fC25cFf

Founder Wallet 3

0x3B8dB4B26Abd5C96be44d5e024168e74AfaaC48E

Founder Wallet 3 Signers

0xFd5298A990B962406C52bb4526b1B1D01Ed69De0

0xDbfd7D961D57A95b8B12732F4A5C680eEc974207

0xB6743305f67202666dAd0FF02bCE276b4fC25cFf

Founder Wallet 4

0x66D940ac77C54eEE20a75C2EB72cB7C473801941

Founder Wallet 4 Signers

0xFd5298A990B962406C52bb4526b1B1D01Ed69De0

0xDbfd7D961D57A95b8B12732F4A5C680eEc974207

0xB6743305f67202666dAd0FF02bCE276b4fC25cFf4

Founder Wallet 5

0x317E529ED3c2B7a3a6Da5Ab7b37Fd1d56520520B

Founder Wallet 5 Signers

0xFd5298A990B962406C52bb4526b1B1D01Ed69De0

0xDbfd7D961D57A95b8B12732F4A5C680eEc974207

0xB6743305f67202666dAd0FF02bCE276b4fC25cFf

Other Resolved And Mitigated Issues

Minor Findings:

  • Missing Zero Address Validation

This was a simple check suggested by CertiK where wallet addresses should be checked before assignment, or before making an external call, to make sure they are not zero addresses. This was fixed and resolved.

  • Potential Reentrancy Attack

There is a remote chance of a reentrancy attack that was highlighted whilst fixing the issue makes the application a bit inflexible for the user. The Scratch Engine team put necessary mitigations to any attacks in place and decided to acknowledge our approach citing a reasonable risk in favor of flexibility and practicality of use. In short, the resolution far outweighed the risk.

Medium Findings:

  • Transfer From State Alteration

CertiK recommended that we write the transfer after the require statement to ensure all conditions are checked and met before execution. We complied, updated our code, and resolved the issue.

Informational Findings:

  • Usage of block.timestamp

This may allow some users like miners to manipulate timestamps and change transaction outcomes. This has been fixed and resolved.

  • Immutable variables declaration

Three variables in the code were requested to be updated to immutable to increase the efficiency of the code. The finding has been fixed and resolved.

  • Unlocked compiler version

The system has not claimed a minimum version compiler required for our code, which can cause problems when debugging potential issues. The finding has been fixed and resolved.

  • Public Functions

Some of the functions in the code were declared public but never called from the contract. The recommendation was to change them to external instead. This has been fixed and resolved.

  • Pure vs View Functions

Some of the functions have been changed to Pure functions given the state of variables were not being changed or read. Changes were done as recommended and resolved.

  • Slippage Restriction

A restriction was not placed on the amount of slippage the user can set. CertiK recommended setting up default slippage restrictions to make it more secure which in other terms also makes it inflexible. The Scratch team has opted to leave it as it is citing a reasonable risk in favor of flexibility and practicality of use.

  • Missing Emit Events

There were three functions in our code that didn’t explicitly emit functions for specific roles. We agreed with the recommendations and resolved the issue.

  • Truth Statement

This was a scenario whereby buy/sell could both be true, which was true and desired, but CertiK wanted to see a separate statement for buy and a separate statement for sell. We complied, changed the code, and resolved the issue.

About Scratch

Scratch is a company focused on bringing financial services to NFTs, meta-verse, and blockchain economies in simple terms.

A proprietary engine that offers valuation and secure storage of digital assets besides offering financial services to both NFT owners and investors alike.

The project is backed by a qualified team with over a decade of experience in understanding and working within digital asset space and blockchain technologies.

Learn more about Scratch Engine by visiting their website or following them on Twitter, Telegram, and Discord.

About CertiK

CertiK is a reputed organization that specializes in advanced analysis and monitoring of blockchain security protocols, wallets, dApps, and smart contracts.

With a team of well-qualified security audit experts and engineers, the company utilizes formal verification techniques and AI Technology to secure and certify projects.

Security audit, penetration testing, suspicious activity tracing, on-chain data analytics are a subset of the services offered by CertiK.

Learn more about CertiK services on their website or contact them at bd@certik.io.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scratch Engine Official

Scratch Engine Official

We’re making history as the very first evaluator tool — Scratch Engine — that cross-references data from multiple sites and can provide real-time valuation.