HonestNFT Audit: Jadu Hoverboards

Authors: Kun Peng, Nick Bax, Maximino DiGiacomo-Castillo

Contents

  1. Introduction
  2. Summary
  3. Fairness
  4. Gas Efficiency
  5. User Experience
  6. Trustless
  7. Affordability
  8. Simplicity
  9. Team Response

Introduction

The HonestNFT team has performed several audits and our goal is to bring awareness to shenanigans in the NFT space. The tools that we have developed can help identify questionable activity on-chain. Additionally, we closely review all of a project’s communications including social media and Discord. We compile on-chain and off-chain findings, and publish audit reports on selected projects.

Previous audits can be found here and here.

Summary

Jadu is developing an augmented reality world called the Mirrorverse. Jadu has previously launched Jetpack NFTs (not audited in this report). Both Hoverboards & Jetpacks can be used to fly 3D avatar NFTs in Augmented Reality and used within the Mirrorverse game world. Jadu previously raised $7M in a seed round led by General Catalyst.

Snoop Dogg promoting Hoverboards.

Jadu Hoverboard is an Ethereum-based NFT collection. 1,111 were reserved for the owners of a previously launched NFT collection called Jadu Jetpack, (no gas or minting cost). In addition, JetPack Pros and Trippy Jetpack holders received spots on the presale list.

Below we present a brief list of pros and cons for this launch. A summary of our scoring is also included. We follow with a more detailed analysis of each bullet point.

Pros:

  • Random distribution for different categories of NFTs
  • High amount of unique wallet addresses

Cons:

  • No sybil resistance
  • Poor Trustlessness
  • Smart contract was redeployed

Fairness

Level of randomness and level of heterogeneity of wallet addresses; possibility for high skilled users to exploit the drop.

In the fairness section of our previous audits, we plotted rarity rank against token ID to inspect the rarity distribution of a particular collection. However, in the case of Jadu Hoverboard, there is no rarity score.

There are 16 variations of Jadu Hoverboards, and their metadata was revealed on 12/13, 12/14, and 12/15. On 12/13 at 6:06pm PST, the metadata for Hoverboard Classic, Hoverboard Lite and Hoverboard Duo was revealed, meaning that all unrevealed hoverboards should have been the more rare and valuable “X Series” or “Signature Series” hoverboards. On 12/14 at 6:06pm PST, the metadata of Hoverboard X Series was revealed. On 12/15 at 6:06pm PST, the metadata of the Hoverboard Signature Series was revealed. Five remaining 1/1 hoverboards were released on 12/16.

Based on the days of reveal, we can classify the Jadu Hoverboards into three categories: Classic, X Series, and Signature Series. In addition, based on how the Jadu Hoverboards were distributed, we have three phases of the sale:

1–1,111: Airdrop

1,112–6,385: Whitelisted presale

6,386–6,666: Public sale

Chart showing category composition of each group

Based on the graphs above, we can see that the Classic, X Series, and Signatures Series are proportionally distributed among the three groups.

There are 4,519 addresses that received an airdrop or minted. This means, on average, 1.475 NFTs were minted per address.

Additionally, we take into account the possibility for highly skilled users to gain an advantage over average users. A common occurrence in NFT launches is “rarity sniping”. Immediately after a project releases their metadata, sophisticated users race to download metadata as fast as possible, calculate rarity scores for NFTs, and then buy up underpriced NFTs before the metadata is updated on exchanges like OpenSea.

The multi-phased metadata reveal scheme that Jadu Hoverboard used opens up the possibility for high-skilled users to snipe the drop multiple times. Since unrevealed NFTs belong to a more rare category and are expected to command higher prices, at 6:06 pm PST of each reveal date, savvy users were able to quickly buy the listed but unrevealed NFTs from owners unaware of this trick or those who forgot to delist their NFTs prior to reveal.

Both authors observed and participated in this metadata reveal game. As expected, unrevealed hoverboards were quickly bought up after the metadata was revealed and the price of those revealed became lower.

Chart showing Jadu Hoverboard sales price over time. Dot color corresponds to the floor price of the hoverboard variation on 12/17. A total of 16 variations of hoverboard existed. After the first reveal, unrevealed hoverboards sold for a premium. However, some hoverboards were mistakenly revealed between the 1st and 2nd reveal times, resulting in some users overpaying for lower tier hoverboards.

The first reveal occurred on 12/14 at 6:06 pm PST, at which point revealed hoverboards decreased in value and unrevealed hoverboards were quickly bought at higher prices. We see that several accounts mistakenly bought less valuable hoverboards (purple dots) for ~1.5 ETH — the price that the unrevealed hoverboards were going for in the hours following the 1st reveal. We know that several of these sales were for NFTs that Jadu’s API stated were unrevealed at the time of sale.

This occurred due to issues with Jadu’s API; some hoverboards did not have their metadata updated until several hours after the stated reveal time (in addition to the delay that OpenSea always has when updating NFT metadata). This resulted in both snipers and regular users buying boards which the Jadu API said were unrevealed only to wake up the next morning and find that their boards had been revealed a few hours after the metadata should have been updated. In some cases, the seller may have had the benefit of updated metadata and then accepted an offer which was made earlier, when the metadata should have been updated but was not.

We do not know the exact cause of the API issue but note that the Jadu API endpoint was very slow and/or unresponsive for several hours after the first reveal. It may have been the result of a deliberate DDoS to prevent other savvy users from scraping metadata or simply the result of multiple bots and services hammering Jadu’s servers while attempting to download metadata.

We suspect that Jadu was somehow unable to update all of the metadata which led to the API serving the incorrect metadata for some NFTs.

Jadu’s CEO acknowledging that some boards were revealed several hours after the official reveal time because of network delays.

Based on the analysis above, we give a score of 6 for fairness. While the NFTs appear randomly distributed, excessive opportunities for sophisticated users to gain an edge existed. Furthermore, the altering of metadata after the reveal time caused some users to unfairly overpay for NFTs that they thought were more rare than they actually were.

In the future, Jadu and other projects should utilize more robust methods for serving metadata post-reveal and should attempt to minimize opportunities for sophisticated users to extract value from others. Keep your eyes peeled for an upcoming article about this, written by an HonestNFT community member!

Gas efficiency

Amount of transactions needed to mint and complexity of each transaction. Bonus points if the launch did not cause a gas spike.

Two separate smart contracts were deployed for the Jadu drop. The total amount of gas fees incurred was approximately 172.69 ETH or 0.0259 ETH per NFT. The initial airdrop spent 6.15 ETH, the second airdrop spent 6.56 ETH, the old smart contract spent 55.46 ETH , the new contract spent 14 ETH, and 86.22 ETH was spent during the public mint. A total of 4.3 ETH was spent on failed transactions. Dune query here. There were 4375 successful transactions and 350 failed transactions.

The first smart contract’s average gas used for presale mints of 1 NFT was 196,684 gwei. Average gas used for all of the old presale mint transactions was 190,760 gwei per NFT. Average gas fees used per transaction were 0.015659 ETH. A brief explanation for the move to a new contract is below.

Explanation of move to new smart contract.

For the second smart contract, the average gas used for minting 1 presale NFT was 240,867 gwei. The average gas used for all of the new presale mint transactions was 220,834 gwei per NFT. The average gas fees used per transaction was 0.025937 ETH.

After analyzing the gas expenses of other launches summarized in the table below, we find that the average gas used for the mint function on Jadu smart contract was on the high end.

Gas used to mint a single NFT from each collection.

During the whitelist sale, some users apparently realized that they could mint more than their allotted amount by selling or transferring their allotted hoverboard NFTs to a different account, enabling some savvy users to mint dozens of extra NFTs.

An example of a user who minted an NFT, transferred out of their account, and repeated in order to obtain more than their allotted number of hoverboards.

After the whitelist sales, Jadu sold the remaining NFTs via a public mint phase. The average gas used for a public sale mint transaction was 203,529 gwei. Average gas fees used per transaction was 0.306866 ETH.

Based on the average gas fees spent during presale mint and public mint, we argue that there was a gas auction during the public sale. Taking a closer look, the base fee was relatively steady and no other major activity was occurring on-chain. The public sale started in block 13,794,045 and the NFTs were sold out in the subsequent block.

Roughly 80% of the transactions between block numbers 13,794,045 and 13,794,046 are Jadu hoverboard public mint transactions, clogging the Ethereum network for 30 seconds.

This did cause a gas auction with minters paying more to miners than to Jadu.

The last Jadu Hoverboard minted. More ETH was paid to the miner than to Jadu.

We chose to give a gas efficiency score of 7. Fortunately, over 90% of the NFTs were airdropped or minted via a whitelist, thus reducing the number of NFTs sold under gas action conditions (in part because of the users who realized they could mint more than their allotted whitelist NFTs.) Jadu could have earned a perfect 10 if they had used a contract which used less gas and avoided the small “first come, first serve” gas auction at the end of their drop.

User Experience

General experience for users, time zone neutrality, cultural and linguistic neutrality.

The presale was relatively short and only lasted for 3 hours and 26 minutes. The hours were not very friendly to users from Asia.

Presale Time Zone:

Presale minting window for major time zones.

The public sale phase lasted less than 30 seconds.

Public Sale Time Zone:

Public minting window for major time zones.
A frustrated user in the Jadu discord channel.

As mentioned earlier, there were 4375 successful transactions and 350 failed transactions. A total of 4.3 ETH was lost on failed transactions, most of it during the public mint phase.

The metadata is being hosted in a centralized server. As mentioned in the fairness section the centralized hosted metadata did not get updated on time, which led to suboptimal user experience. Some user experiences are shown below.

Screenshots of angry users who had suboptimal experience due to the metadata reveal issues.

Fortunately, whitelisted users who encountered issues during mint were allowed to purchase Hoverboards from Jadu’s vault at the mint price.

We give Jadu a “User Experience” score of 8 — presale minters outside of Asian timezones had a decent user experience. The team promptly fixed almost every issue encountered during the mint phase (with the exception of users who bought NFTs which were revealed later). Public minters had a relatively poor experience because the collection was sold out in 2 blocks. Also, the metadata reveal experience was suboptimal.

Trustlessness

Level of trust given to team or smart contract, extent of off-chain interactions, ability to trade on insider information.

The Jadu team did not use a commit-reveal scheme. Therefore, it is possible that an insider could have minted rare NFTs to their own address, or known the rarity of NFTs prior to the metadata being revealed. We looked for evidence of what we call “anomalously lucky” minters and were unable to identify any. However, we know from firsthand experience that a careful user can evade detection of our statistical tests.

To mitigate this, the Jadu team stated that they would return any of the most rare ‘1/1’ boards that were minted by Jadu team members and/or their friends and family. A message summarizing these claims is shown below.

We observed one account which we believe belonged to a team member and minted a 1/1. The NFT was returned to the jaduvault after several weeks and an intermediate transfer. A summary of the transactions is shown below.

Transaction summary of 1/1 NFT being transferred to jaduvault.

Unfortunately, it would be impossible for us to identify the owners of all accounts which obtained 1/1 hoverboards and verify that none of them were associated with the team.

Next, we look for evidence of someone with insider knowledge buying rare NFTs on the secondary market. One telltale fingerprint for this is accounts which consistently buy unrevealed NFTs above the floor price prior to their reveal. On our sales chart, this would look like red or green dots above the floor price to the left of the first reveal, which we do not see. Alternatively, a savvier insider may have known to only buy rare NFTs at or near the floor price. We checked the sales very thoroughly using our shenanigan detection tools and identified no accounts which were anomalously lucky at buying rare NFTs. A chart below summarizes our findings.

Jadu Hoverboard sales over time. The blue square denotes sales which are above the floor price. We did not observe many purchases above the floor price prior to reveal, and the few we did notice were not particularly rare or valuable post-reveal.

While we failed to find any obvious examples, in the absence of a commit-reveal scheme with randomization at the moment of reveal, the possibility that insiders used non-public information cannot be ruled out. If Jadu used a commit-reveal scheme, insider trading could be provably ruled out, and the insider that received a 1/1 would have been able to keep their NFT without suspicion. We urge projects to use commit-reveal schemes so that users do not have to rely on trust.

Trustlessness: 5 — we found no evidence of bad behavior but ultimately have to trust the team.

Affordability

Cost to acquire NFTs (minting price, gas fees and any additional costs)

The price of 0.222 ETH per NFT is high but justifiable because of the performance of Jadu’s earlier Jetpack NFT collection. Jadu’s CEO explained the high mint price in an article.

Regarding gas fees and any additional costs, Jadu Hoverboard had higher average gas fees than most other major NFT collections.

Due to the relatively high mint price and higher gas fees, we give Jadu Hoverboard an “Affordability” score of 8.

Simplicity

Room for inexperienced or unskilled users to make mistakes. Digestibility of launch rules and instructions to mint.

The launch and minting process for Jadu Hoverboard was straightforward, very well-communicated and clear for users. We give Jadu Hoverboard a “Simplicity” score of 10.

Team Response

We shared a draft of this audit with the Jadu team and took their responses into consideration. We increased the User Experience score by 1 point after the Jadu team pointed out to us that they worked with their community to fix issues encountered during the mint phase.

We considered increasing Jadu’s Trustlessness score to a 6 to reflect that the team member who minted a 1/1 hoverboard did in fact return it, but ultimately decided not to because future projects would be able to abuse this by deliberately minting a rare NFT to themselves, returning it, and then pointing out how trustworthy they are.

We also increased the Gas Efficiency score after sending Jadu our initial draft — this change was made independent of feedback from Jadu. We are constantly refining our scoring criteria in an attempt to make scoring as objective as possible.

Verdict

Jadu’s launch was simple and straightforward but they experienced a few hiccups which led to frustration for some users. Additionally, while their multi-step reveal phase made the project more exciting for the first few days, it created unfair opportunities for some NFT traders to gain an advantage.

We also want to stress the distinction between “trustlessness” — the metric we score — and the more common “trustworthiness”. To us, trustlessness means using cryptography so that randomness of NFT distribution can be mathematically proven. Whether you find them trustworthy is up to you. Had the team used a commit-reveal scheme to randomize their data, they would have received a significantly higher score for trustlessness.

This is only the third project we have published an audit for. We aim to make our audits as objective as possible in the long term and may adjust our rating as we audit other projects, and learn more about the relative positioning of Jadu Hoverboards among other collections. Overall, we give Jadu Hoverboards a score of 7.3 (our highest score yet).

Join Us

If you’re interested in joining our mission to research suspicious activity, drop by our Discord channel. If you just want to follow along, follow HonestNFT and Convex Labs on Twitter and check out our new project’s website.

Shadowy Super Coders can checkout our GitHub.

If you are interested in helping fund more open source research like this, consider donating to our Bounty Program.

Disclosures

Several of our team members hold or have held Jadu NFTs and one benefited by Jadu’s decision to replace NFTs affected by the Opensea exploit.

--

--

--

convexlabs.xyz twitter.com/convex_labs

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Rewards Bunny is now on CoinGecko

How to protect your privacy on Telegram

Why cyberattacks on critical infrastructure will rise in 2022

NFT Protocol Fusible announces its IDO on leading liquidity exchange DODO for 5th March 2021

[Skypeople] Tron SR long term voters reward notice

{UPDATE} Pickaxe: Adventurous powerful free mining idle game, break stones and discover the…

simple https://t.co/aWileyQT3F https://t.co/VmYAV5dg5F

Writeup: CSRF where token is tied to non-session cookie @ PortSwigger Academy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Convex Labs

Convex Labs

convexlabs.xyz twitter.com/convex_labs

More from Medium

Introducing: Vigilante NFTs

Introduction to Phantom Minting

Introducing Ramper

Hardcore Gas Savings in NFT Minting (Part 2): Signatures vs Merkle Trees