Report realeased on Oct 21, 2022
About MarbleX - NFT Marketplace Protocol
The contract we audited is mostly equal to the contracts of Wyvern v2.2 in this repository. There are two major components of the project, the NFT Marketplace and the DAO.
The NFT Marketplace works as follows. There’s an Order structure that contains the information on the order placed. This includes, among other things, maker/taker of the order, exchange address, payment token address, price information, fee information, listing time and expiration time, and the salt for preventing duplicate hashes. The execution of NFT transfers are handled in a much more general way in Wyvern 2.2. It allows the buyer and the seller to decide on a contract call parameters, i.e. the target of the call, the call method (call or delegatecall) and the calldata. To decide on the calldata, both the buyer and the seller decide on their idea on the calldata and the bitmap on which bits can be changed by the other. With some memory manipulation, the contract computes the final calldata based on the two order structures of buyer and seller and executes the contract. To verify that the orders are approved by the buyer or seller, either the appropriate ECDSA signatures should be provided, or they have to call the contract for approvals, or they have to call the contract themselves. In this project, the Klaytn format of signing hashes was applied.
The DAO in Wyvern v2.2 is based on a vote by an ERC20 share token. To make voting for small shareholders easier, the system allows the delegation of votes to a larger shareholder. Each proposal consists of the target address and contract calldata, along with the amount of ETH that will be sent alongside with it. The vote will pass if the minimum quorum is reached and more than half of the voters agree with it. It is also possible to change the voting rules via governance.
The DAO part of the contract was not used, and is out of the scope for audit.
Purpose of this report
This report was prepared to audit the security of the NFT Marketplace contracts developed by the MarbleX team. HAECHI AUDIT conducted the audit focusing on whether the system created by the MarbleX team is soundly implemented and designed as specified in the published materials, in addition to the safety and security of the NFT Marketplace contracts. As the contract is based on Wyvern 2.2 which was widely used, we have focused on the following.
•
different codes between the contracts and Wyvern 2.2
•
correct fixes of 1-day vulnerabilities of Wyvern 2.2
*The audited code can be non-disclosure as the client requests.
About KALOS
KALOS is a flagship service of HAECHI LABS, the leader of the global blockchain industry. We bring together the best Web2 and Web3 experts. Security Researchers with expertise in cryptography, leaders of the global best hacker team, and blockchain/smart contract experts are responsible for securing your Web3 service.
We have secured over $60b worth of crypto assets across 400+ global crypto projects — L1/L2 projects, defi protocols, P2E games, and bridges — notably 1inch, SushiSwap, Badger DAO, SuperRare, Klaytn and Chainsafe.
KALOS is the only blockchain technology company selected for the Samsung Electronics Startup Incubation Program in recognition of our expertise. We have also received technology grants from the Ethereum Foundation and Ethereum Community Fund.
Secure your smart contracts with KALOS.
•
Email: audit@kalos.xyz
•
Official website: https://kalos.xyz
•
Twitter: https://twitter.com/kalos_security
