Tengoku Senso

Summary

Tengoku Senso is a GameFi NFT platform built on Ethereum. The audit team found high-severity issues that show that the system is not functioning as intended. For example, NFT minting lacks access control, and the `TGKMainContract` contract, which is supposed to receive NFTs, actually cannot receive them via safe transfers. These high-severity issues could have been detected with basic test suites, and their presence signifies the problem of insufficient test suites. Indeed, when the audit team inspected the project, the test suite was absent, and at the same time, there was almost no documentation. Moreover, one of the contracts does not even compile; hence there is no way of running and testing it. Regarding the project quality, since there is almost no documentation and tests, the auditors followed a best effort-approach in attempting to identify potential combinations of inputs and outputs that could lead to unexpected behavior. Our team frequently interacted with the Tengoku Senso team to clarify code and expected behavior. Their active engagement in answering our questions was crucial and greatly assisted in completing the audit. Still, the overall confidence is low given that the project does not compile and no tests accompany such an audit. An audit does not replace the need for a high-quality test suite, and we strongly recommend fixing the compilation issue and testing all the happy and unhappy paths of the system. The system is highly centralized and could suffer from a significant exploit if the owner of the contracts is compromised. Further, the Tengoku Senso team will utilize out-of-scope off-chain mechanisms to determine the receiving address and amount of tokens (native, ERC20, and ERC721) to transfer from the contract `TGKMainContract`. As a result, we want to highlight the importance of following best practices for Key Management of admin addresses, as well as carefully assessing the current level of IT risks associated with the off-chain components of the system and implementing mitigating measures accordingly. **Fix review** The Tengoku Senso team addressed all issues. The Tengoku Senso team clearly documented their system in a `README` file and added a test suite. We strongly suggest making that documentation easily available to the end users in the front end of the application instead of keeping it in the `README` file. Also, we would like to highlight the commitment of the Tengoku Senso team to address all issues.