Block
Summary
BlockBar is a platform offering NFTs bound to physical liquor bottles. Holders of an NFT can list it to offer it to other buyers in the BlockBar marketplace. Each NFT can have several royalty owners that will receive a share of the price when the NFT is sold to another user. During the code review, high-severity issues were found. The majority of issues stem from missing input validation and precision loss, as well as royalty distribution. After discussing these security issues, some best practice recommendations are listed. We strongly recommend addressing the issues found. Regarding testing, the project shows good code coverage metrics. Update: BlockBar has successfully covered most of our security concerns in the fix review, addressing the input validation and precision loss. While they did not implement any major changes around their royalty shares, they have acknowledged any issues we have brought forth and maintain that their implementation aligns with their business logic. Update: The BlockBar team has decided to remove the royalty oracle, instead opting to receive any royalty collections from sales directly. Their plan is to then handle collection payouts internally. Users should note that these collection payouts to parties other than BlockBar are not currently being enforced on-chain. The following contracts were not reviewed by Quantstamp: * `contracts/blockbarBottle.sol` * `contracts/recoverability.
Issues (29)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 10 | 1 | - | - | 11 |
Fixed | 11 | 5 | 2 | - | 18 |
| Total | 21 | 6 | 2 | 0 | 29 |