Professional Documents
Culture Documents
Verichains Public Audit Report - DGG Marketplace - v1.1
Verichains Public Audit Report - DGG Marketplace - v1.1
DGG MARKETPLACE
Public Report
Apr 04, 2023
Verichains Lab
info@verichains.io
https://www.verichains.io
Driving Technology > Forward
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
ABBREVIATIONS
Name Description
ERC721 The ERC-721 introduces a standard for NFT, in other words, this type of
Token is unique and can have different value than another Token from the
same Smart Contract, maybe due to its age, rarity or even something else like
its visual
Page 2
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
EXECUTIVE SUMMARY
This Security Audit Report was prepared by Verichains Lab on Apr 04, 2023. We would
like to thank the DGG Network for trusting Verichains Lab in auditing smart contracts.
Delivering high-quality audits is always our top priority.
This audit focused on identifying security flaws in code and the design of the DGG
Marketplace. The scope of the audit is limited to the source code files provided to Verichains.
Verichains Lab completed the assessment using manual, static, and dynamic analysis
techniques.
During the audit process, the audit team had identified some vulnerable issues in the smart
contracts code.
Page 3
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
TABLE OF CONTENTS
1. MANAGEMENT SUMMARY ................................................................................................................. 5
1.1. About DGG Marketplace .................................................................................................................. 5
1.2. Audit scope .......................................................................................................................................... 5
1.3. Audit methodology ............................................................................................................................. 5
1.4. Disclaimer ........................................................................................................................................... 6
2. AUDIT RESULT ........................................................................................................................................ 7
2.1. Overview ............................................................................................................................................. 7
2.1.1. Market.sol ..................................................................................................................................... 7
2.1.2. MintingStation.sol ........................................................................................................................ 7
2.2. Findings ............................................................................................................................................... 7
2.2.1. [ ] Market.sol - Remove collection address when remove a collection ID ................. 7
2.2.2. [ ] Market.sol - Modify ask order with arbitrary tokenBuy ...................................... 8
2.2.3. [ ] Market.sol - Front-Running: seller can change tokenBuy before buyer buy ....... 9
2.2.4. [ ] Market.sol - owner can transfer any ERC20 tokens in contract, including creator and
trading fee .................................................................................................................................................... 10
2.2.5. [ ] Market.sol - Wrong execution with comment of recoverNonFungibleToken()
function ........................................................................................................................................................ 11
2.2.6. [ ] Market.sol - Inconsistency in creating and modify collection ...................................... 11
2.2.7. [ ] Market.sol - Inconsistency in _collectionAddressSet and _collections
variables ....................................................................................................................................................... 12
2.2.8. [ ] Market.sol - Creator can change trading fee after seller ask to sell ............................... 13
2.2.9. [ ] Market.sol - TYPO reciver in batchTransfer() function ................. 14
2.2.10. [ ] Market.sol - Missing emit event at buyToken() function ...................... 14
3. VERSION HISTORY .............................................................................................................................. 15
Page 4
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
1. MANAGEMENT SUMMARY
1.1. About DGG Marketplace
DGG Marketplace is an NFT marketplace that facilitates the buying and selling of Non-
Fungible Tokens (ERC721) using Fungible Tokens (ERC20). Users are required to pay a small
trading fee and the creator also receives compensation through this platform.
4d3a545aa58420f786368c05158d4748e12c491a Market.sol
dec0ddf860846e1368f7e0fc9106bdf67b9e30cc MintingStation.sol
Page 5
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
• Explicit visibility of functions state variables (external, internal, private and public)
• Logic Flaws
For vulnerabilities, we categorize the findings into categories as listed in table below,
depending on their severity level:
SEVERITY DESCRIPTION
LEVEL
An issue that does not have a significant impact, can be considered as less
important.
1.4. Disclaimer
Please note that security auditing cannot uncover all existing vulnerabilities, and even an
audit in which no vulnerabilities are found is not a guarantee for a 100% secure smart contract.
However, auditing allows discovering vulnerabilities that were unobserved, overlooked during
development and areas where additional security measures are necessary.
Page 6
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
2. AUDIT RESULT
2.1. Overview
This table lists some properties of the audited DGG Marketplace (as of the report writing
time).
2.1.1. Market.sol
This smart contract inherits from Ownable, ReentrancyGuard and ERC721Holder. The Market
feature enables the admin to create collections that include ERC721 addresses, which allows
users to list their assets and set ask orders for selling. Moreover, users have the option to
purchase NFT assets using ERC20 tokens that have been pre-defined by either the admin or
the collection creator.
Specifically, the admin can recover fungible tokens if the balance of an address surpasses
the pending revenue required to pay either the creator or the treasury. Furthermore, they can
recover non-fungible tokens that are not listed in the ask orders.
2.1.2. MintingStation.sol
The contract inherits from the AccessControl contract from the OpenZeppelin library, which
provides a role-based access control mechanism.
The MintingStation contract enables the contract owner to recover ERC20/ERC721 tokens,
set a whitelist of signers, and transfer contract ownership. The smart contract only allows
signers who are in the whitelist to call the mintCollectible() function to mint new ERC721
tokens. The function uses the ecrecover() function to verify that the message was signed by a
signer who is in the whitelist.
2.2. Findings
During the audit process, the audit team found some vulnerability issues in the given
sources of DGG Marketplace.
Page 7
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
_collections[_collection][_collectionId].status = CollectionStatus.Close;
_collectionAddressSet.remove(_collection); // ISSUE AT THIS LINE
RECOMMENDATION
_collections[_collection][_collectionId].status = CollectionStatus.Close;
// _collectionAddressSet.remove(_collection); <-- REMOVE THIS
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
RECOMMENDATION
Page 8
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
function modifyAskOrder(
address _collection,
uint256 _tokenId,
uint256 _newPrice,
address _newTokenBuy,
//address _tokenBuy, <-- REMOVE THIS LINE
uint256 _collectionId
) external nonReentrant {
// Verify new price is not too low/high
require(_newPrice >= minimumAskPrice && _newPrice <= maximumAskPrice, "Order: Price not
within range");
// Emit event
emit AskUpdate(_collection, msg.sender, _tokenId, _newPrice, _newTokenBuy,
_collectionId);
}
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
Page 9
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
token purchase to a different token that was previously approved by the user, and that has a
higher price than the original token being purchased.
Example: Front-running change 1 BNB to 1 ETH.
RECOMMENDATION
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
2.2.4. [ ] Market.sol - owner can transfer any ERC20 tokens in contract, including
creator and trading fee
2.2.4.1. Description
If the owner of a contract calls the recoverFungibleTokens() function, they should be able to
withdraw all the ERC20 tokens balance in the contract, including those that were originally
sent as creator and trading fees.
RECOMMENDATION
Calculate carefully before transfer. We suggest have a global mapping to store total pending
revenue (totalPendingRevenue) for each token. And then, the code can be fixed as below:
function recoverFungibleTokens(address _token) external onlyOwner {
uint256 amountToRecover = IERC20(_token).balanceOf(address(this)) -
totalPendingRevenue[_token]; // FIXED
require(amountToRecover != 0, "Operations: No token to recover");
Page 10
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
IERC20(_token).safeTransfer(address(msg.sender), amountToRecover);
UPDATES
RECOMMENDATION
The contract must have a mapping to store all NFT listed on market (ex: tokenListed) and
then the code can be fixed as below:
function recoverNonFungibleToken(address _token, uint256 _tokenId) external onlyOwner
nonReentrant {
require(!tokenListed[_token].contains(_tokenId), "Operations: NFT not recoverable");
// FIXED
IERC721(_token).safeTransferFrom(address(this), msg.sender, _tokenId);
// FIXED
UPDATES
Page 11
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
RECOMMENDATION
require(_collections[_collection][_collectionId].creatorAddress != address(0),"Operations:
Collection not listed");
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
RECOMMENDATION
_collections[_collection][_collectionId].status = CollectionStatus.Close;
// _collectionAddressSet.remove(_collection); <-- REMOVE THIS
Page 12
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
2.2.8. [ ] Market.sol - Creator can change trading fee after seller ask to sell
2.2.8.1. Description
It is not transparent when the creator or admin modifies the collection's creator or trading
fee after the seller has requested to list the NFT on the market.
RECOMMENDATION
require(
(_creatorFee == 0 && _creator == address(0)) || (_creatorFee != 0 && _creator !=
address(0)),
"Operations: Creator parameters incorrect"
);
if(_askTokenIds[_collection][_collectionId].length() == 0) {
require(_tradingFee + _creatorFee <= TOTAL_MAX_FEE, "Operations: Sum of fee must
inferior to TOTAL_MAX_FEE");
collection = Collection({
status: CollectionStatus.Open,
creatorAddress: _creator,
whitelistChecker: _whitelistChecker,
tradingFee: _tradingFee,
creatorFee: _creatorFee,
Page 13
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
collectionId: _collectionId
});
} else {
collection = Collection({
status: CollectionStatus.Open,
creatorAddress: _creator,
whitelistChecker: _whitelistChecker,
tradingFee: collection.tradingFee,
creatorFee: collection.creatorFee,
collectionId: _collectionId
});
}
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
RECOMMENDATION
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
RECOMMENDATION
UPDATES
• Apr 4, 2023: This issue has been acknowledged and fixed by the DGG Network team
Page 14
Report for DGG Network
Security Audit – DGG Marketplace
Version: 1.1 - Public Report
Date: Apr 04, 2023
3. VERSION HISTORY
Version Date Status/Change Created by
Page 15