NTOKENS SMART CONTRACT FINAL AUDIT REPORT

Abhishek Sharma
Nov 26 · 9 min read

by QuillAudits, October 2019

Introduction :

This Audit Report highlights the overall security of NTokens Smart Contract. With this report, we have tried to ensure the reliability of their smart contract by complete assessment of their system’s architecture and the smart contract codebase.

Auditing Approach and Methodologies applied :

Quillhash team has performed thorough testing of the project starting with analysing the code design patterns in which we reviewed the smart contract architecture to ensure it is structured and safe use of third party smart contracts and libraries.

Our team then performed a formal line by line inspection of the Smart Contract in order to find any potential issue like race conditions, transaction-ordering dependence, timestamp dependence, and denial of service attacks.

In the Unit testing Phase we coded/conducted Custom unit tests written for each function in the contract to verify that each function works as expected. In Automated Testing, We tested the Smart Contract with our in-house developed tools to identify vulnerabilities and security flaws.

The code was tested in collaboration with our multiple team members and this included -

  1. Testing the functionality of the Smart Contract to determine proper logic has been followed throughout.
  2. Analyzing the complexity of the code by thorough, manual review of the code, line-by-line.
  3. Deploying the code on testnet using multiple clients to run live tests
  4. Analyzing failure preparations to check how the Smart Contract performs in case of bugs and vulnerabilities.
  5. Checking whether all the libraries used in the code are on the latest version.
  6. Analyzing the security of the on-chain data.

Audit Details

Summary of NTokens Smart Contract :

QuillAudits conducted a security audit of a smart contract of NTokens. NTokens contract is used to create the ERC20 token which is a nTokens Real Virtual stable coin, Smart contract contain basic functionalities of ERC20 token with open mint to mint tokens and some more functionalities like.

  • Masterminter can allow other address to mint till specific value.
  • Owner can blacklist token holders and minters
  • Transfer will not take place when contract is paused by pauser only

Audit Goals

The focus of the audit was to verify that the smart contract system is secure, resilient and working according to its specifications. The audit activities can be grouped in the following three categories:

Security: Identifying security related issues within each contract and within the system of contracts.

Sound Architecture: Evaluation of the architecture of this system through the lens of established smart contract best practices and general software best practices.

Code Correctness and Quality: A full review of the contract source code. The primary areas of focus include:

  • Correctness
  • Readability
  • Sections of code with high complexity
  • Quantity and quality of test coverage

Security Level references :

Every issue in this report was assigned a severity level from the following:

High severity issues will bring problems and should be fixed.

Medium severity issues could potentially bring problems and should eventually be fixed.

Low severity issues are minor details and warnings that can remain unfixed but would be better fixed at some point in the future.

High severity issues:-

  1. initialize() function of smart contract v1 doesn’t use modifier onlyOwner, it can be called by anyone, immediately after deploying a smart contract.

Either use onlyOwner modifier so that only the owner can initialize it or simply create a variable (address type) and set it while deploying a smart contract who will going to call a function initialize().

Status : Fixed by Developer

2. increaseAllowance and decreaseAllowance function of ERC20 contract couldn’t update the value of allowance as allowed is overwritten in v1 smart contract that value doesn’t accessible by increase and decrease allowance function in ERC20 smart contract.

Update or overwrite allowance functions in v1 smart contracts to increase or decrease the allowance using increaseAllowance and decreaseAllowance.

Status : Fixed by Developer

Medium Severity Issues:-

No Medium Severity Issue.

Low Severity Issues:-

  1. Solidity version must be fixed (Always use latest Version).

It should not pragma solidity ^0.4.24;

It should be pragma solidity 0.4.24;

Status : Fixed by Developer.

2. version should be fixed so that development phase and deployment phase should have the same solidity version.

Missing all the error statements in required condition. Please use error statements in required condition to configure the error reason.

Example : require (msg.sender == owner, ’Caller is not an owner of smart contract’).

Status : Not fixed Yet.

3. removeMinter() function of smart contract v1 doesn’t check whether a minter is already configured or not.

Use require(minters[minter] == true);

Status : Fixed by Developer.

4. unBlacklist() function of smart contract blacklistable.sol doesn’t check whether an address is already blacklisted or not before removing it.

Use require(blacklisted[_account] == true);

Status : Fixed by Developer.

5. pause() function of smart contract pausable.sol doesn’t check whether a contract is already paused or not.

Use require(paused == false);

Status : Fixed by Developer.

6. unPause() function of smart contract pausable.sol doesn’t check whether a contract is already paused or not.

Use require(paused == true);

Status : Fixed by Developer.

Low Severity Issues arises while checking Initial Audit report:-

  1. TransferFrom() function of smart contract v1 could not be able to call by tokens holder as approve and allowance has been removed from contract v1.

You can remove function transferFrom() from contract v1 also remove allowed internal variable from contract v1 as they are not in use as well as from ERC20.sol contract.

Status : Not fixed Yet.

Unit Testing

Test Suite

Contract: NTokens Contract

 Should check masterMinter of Token contract after update (51ms)

Coverage Report :

Initial Audit Report (Coverage Report):

Final Audit Report (Coverage Report):

Smart contract v1 statement covered is 87.3% in final audit report because transferFrom function of v1 contract is needed to remove as it can’t be accesible as you can see in the above picture, transferFrom function is highlighted uncovered .

Slither Tool Result :

Variables shadowing each other as they are overwritten.

Contract Description table

Implementation Recommendations :

  • Use error statements in return when using require this will help in diagnosing errors or the reason for the failure of transactions.

Comments:

Use case of smart contract is very well designed and Implemented. Overall, the code is clearly written, and demonstrates effective use of abstraction, separation of concerns, and modularity. NTokens development team demonstrated high technical capabilities, both in the design of the architecture and in the implementation .

All critical issue and several additional issues have been solved by NTokens team, please take action on 1 low severity issue as well that arises after initial audit fixes.

Thanks for reading. Also do check out our earlier blog posts.

QuillAudits is a secure smart contract audits platform designed by QuillHash Technologies. It is a fully automated platform to verify smart contracts to check for security vulnerabilities through it’s superior manual review and automated tools. We conduct both smart contract audits and penetration tests to find potential security vulnerabilities which might harm the platform’s integrity.

To be up to date with our work, Join Our Community :-

Telegram | Twitter | Facebook | LinkedIn

QuillHash

Delivering Enterprise-grade blockchain technology to leading companies worldwide.

Abhishek Sharma

Written by

Lead Blockchain Developer and Auditor ~ Quillhash Technologies

QuillHash

QuillHash

Delivering Enterprise-grade blockchain technology to leading companies worldwide.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade