1a:["$","div",null,{"className":"animate-pageappear fill-mode-forwards min-h-[calc(100vh-theme(spacing.footer-height))] pb-[60px]","children":[["$","$L25",null,{"audit":{"id":"f7297c88-f2f9-4010-b91e-e477e7e0ffc3","name":"Petaverse","description":"**Initial Audit:**\n\nThis audit was concerned with two main contracts `Pet.sol`and `Voucher.sol`. Both interact together, on more than one chain, to manage the minting of vouchers and pets.\n\nDuring the audit, we identified several issues and recommended that the team implement tighter validations. We also suggest addressing any unclear specifications and improving documentation to prevent similar or new issues in the future.\n\nMany of the vulnerabilities we found involved potential attacks that are a direct result of the multi-chain architecture, which relies heavily on trusted actors to perform their roles correctly.\n\n
\n\n**Update after the first re-audit:** \n\nThe client addressed all the issues by either fixing or acknowledging them.","conductedAt":1684886400000,"reportType":"web","reportUrl":"https://certificate.quantstamp.com/full/petaverse/194b7ad8-a1b4-43f9-9e3e-f8655173fffc/index.html","issues":[{"id":"832f5efc-900c-4422-b1aa-ff8b1d75db0d","status":"not_fixed","name":" Inoperable Voucher Redemption","description":"Currently, `Voucher.redeemVoucherTo()` does not support the redemption of Vouchers, as nothing is ensuring that the token for the specified `_voucherTokenId` is held by the contract before burning it. Therefore, calls to `redeemVoucherTo()` will fail if the token is not held by the contract.","severity":"low"},{"id":"0ed0ce78-2c0e-4c18-b943-8c012a5fdbe6","status":"not_fixed","name":"Cloned Pets Not Burned with Original","description":"Currently, the team describes that cloned Pets are transferred back to a holding contract if the original Pet is burned. Although these clones may be held by the team instead of individual accounts, they still exist on-chain and can have their clone status modified to be an original, therefore recreating a Pet that was already burned.","severity":"low"},{"id":"865aa45d-97d0-4f59-8152-2d79c0f4989e","status":"not_fixed","name":"Missing Input Validation","description":"The following inputs are not being validated:`:\n\n

In Pet.setOperatorFilterRegistry(), _operatorFilterRegistry is not being checked for the 0x0 address.
In Pet.setRoyaltyInfo(), _royaltyReceiver is not being checked for the 0x0 address
In Pet.setIMX(), _imx is not being checked for the 0x0 address.
In Voucher.constructor(), _pet is not being checked for the 0x0 address.
In Voucher.setOperatorFilterRegistry(), _operatorFilterRegistry is not being checked for the 0x0 address.
In Voucher. withdraw(), _to is not being checked for the 0x0 address.
Pet.initialize() does not check that the parameter _uri is not an empty string.

","severity":"low"},{"id":"6d5f73d5-0530-4a72-bae4-e3330dbb10b0","status":"not_fixed","name":"Overwriting Custodial Status","description":"In `Pet.multiMintTo()`, the mint function does not take into account the previous custodial status of the accounts being minted tokens to, allowing for it to be possible to overwrite the custodial status of a `to` address that has been previously assigned to be a custodian, as a result of some oversight.","severity":"low"},{"id":"c9c3b55f-96fa-45db-a24e-b85acd770b1c","status":"not_fixed","name":"Privileged Roles","description":"$26","severity":"low"},{"id":"4a79b7c4-e85f-4463-8265-68fc60438673","status":"not_fixed","name":"Renounce Ownership Role","description":"If the `DEFAULT_ADMIN_ROLE` is renounced without assigning a new admin, all the contracts will be left without an admin. Consequently, any function guarded by the `getRoleAdmin()`function will no longer be able to be executed.","severity":"low"},{"id":"6a96ed32-e850-4c4e-8650-a2d2fce039f7","status":"not_fixed","name":"Simultaneous Minting of Tokens Cross Chain","description":"It is possible for the same TokenId to be minted simultaneously cross-chain. Preventing the withdrawal of the newly minted L2 token to L1, due to the tokenId already existing.\n\nNote that this case is concerned with minting through ImmutableX L2.","severity":"low"},{"id":"cd1a0d68-1b7a-40a9-802d-3f64b33a1a6a","status":"fixed","name":"Cloned Pets Are Transferrable","description":"Documentation suggests that clones can only be transferred by the Cloner role, however, clones can also be transferred by Custodians if they are owned by custodial accounts, or if clones are owned by the contract they can be transferred by Minters. Additionally, accounts holding cloned pets are free to transfer them as they wish.\n\nBy design, cloned pets are intended to only be held by the same account that holds the original pet, just on a terminal chain. However, with the ability to transfer these clones, a situation could arise where separate accounts are holding both the original and cloned pet. Also, recipients of cloned pets could be surprised to have their NFT moved by the team at any point.","severity":"high"},{"id":"28d7b96e-e45c-4936-a1eb-929b4e142c19","status":"fixed","name":"Missing Input Validation for Royalty Amount","description":"The function `setRoyaltyInfo()` does not verify the `royaltyReceiver` to not be the `0x0 address`, and the `royaltyNumerator` to be within a defined bound.\n\nIf the royaltyNumerator is the same as the `ROYALTY_DENOMINATOR`, then the royalty will be the entire sale price.\n\nIf it is greater than the `ROYALTY_DENOMINATOR` then the royalty will be more than the sale price itself.","severity":"medium"},{"id":"bf3ff305-cf33-4b36-b3d1-7c987201fab5","status":"fixed","name":" Unused _Burn() Function","description":"In the Pet.sol file a `_burn()` function is defined which overrides the burn function of all other contracts it inherits from. However, it is an internal function that is never used in any part of the code.","severity":"low"},{"id":"05014f28-fe2c-4d57-841c-ea8d1417547c","status":"fixed","name":"Approvals, Transfers, Burns Allowed on Non-Origin Chain","description":"Documentation suggests that NFTs should only be transferred, approved, or burned on the origin chain where they were minted. However, there is no smart-contract level enforcement of this. This means NFTs can be transferred, regardless of what chain they are on.","severity":"low"},{"id":"8a0820bc-d501-4e6d-91c1-a3e00557b7cf","status":"fixed","name":"Checks-Effects-Interactions Violation","description":"In `Pet.mintTo()`#L222, the custodial status of the to address is updated after the minting of the token, violating the Checks-Effects-Interactions coding pattern. The coding pattern is meant to mitigate any chance of other contracts manipulating the state of the blockchain in unexpected and possibly malicious ways before control is returned to the original contract. While no critical vulnerabilities were identified as a result of this violation, it is still best to adhere to the pattern to mitigate any potential issues.","severity":"low"},{"id":"42dde81d-41fd-41dc-ae0a-0d81da915dc1","status":"fixed","name":"Clashing Roles Inhibit Bulk Custodial Transfer","description":"`Pet.bulkTransferFromCustodials()` is restricted to only being called by an `Custodian` However, the call to `setCustodial()` inside of this function is limited to only addresses with DEFAULT_ADMIN_ROLE. An address with CUSTODIAN_ROLE cannot bulk transfer Pets if they do not additionally hold the DEFAULT_ADMIN_ROLE.","severity":"low"},{"id":"175c1e2f-bfae-4bbe-af41-d067501e381f","status":"fixed","name":"Front-Running Voucher Mints","description":"`Voucher.mintTo()`, a voucher can be minted in 2 ways:\n\n

The _to address must match the to address on the signed VoucherToken data.
As long as the _to data doesnt equal the 0x0 address and _voucher.to is 0x0, then the voucher token can be minted to any arbitrary _to address

\n\nThe second scenario allows for a front-runner to simulate a `mintTo()` transaction for a voucher token with an unassigned address and see that they can receive this token if they provide their own address in the _to the parameter.","severity":"low"},{"id":"812a5512-adc0-48d3-ae0f-b9333a42fe20","status":"fixed","name":"Immutable Pet Address Presents Single Point of Failure","description":"Currently, Voucher only allows the assignment of the value for the address of the Pet proxy contract once, during construction. The inability of the team to modify the address used for the Pet contract presents a single point of failure. If there were an instance where this proxy address was compromised, or assigned an incorrect address, Voucher would have to be redeployed as this contract would be unable to function as intended.","severity":"low"},{"id":"6ea34a7e-25ec-41dc-9d99-ed09ce31014b","status":"fixed","name":"Redundant Write Operations","description":"The function `mintTo()` can write the same value as the custodial mapping because it maps an address to a boolean.\n\nConsider the case where the address is already marked as custodial, there is no need to do the same write operation again.\n\nGiven that the `_tos` array contains duplicate addresses, the same goes for the function `multiMintTo()`; except that it writes the same value for the duration of the loop.\n\n Although it is only one bit, these write operations can cost more gas than needed.","severity":"low"},{"id":"8dca7c9b-fbea-45f6-8a34-8f975bcdfa9e","status":"fixed","name":"Unlimited Approvals","description":"The contracts can approve an address to transfer tokens on their behalf without setting a limit on how many tokens may be transferred via `ERC721.setApprovalForAll()`. If the approved address becomes hacked or is intentionally malicious, it may transfer out all of the approved tokens.","severity":"low"},{"id":"1c908493-a6f1-497f-9cb0-7c908c36f213","status":"fixed","name":"Upgradeability Misconfigurations","description":"In `Pet.initialize()`, both the Ownable and ReentrancyGuard upgradeable contracts are left uninitialized. Additionally, adding the `_disableInitializers()` function to the constructor of the implementation contract will prevent any malicious actors from calling `initialize()` on the implementation contract and taking it over, as described in Open Zeppelin's documentation.","severity":"low"},{"id":"e65650e8-cbff-4420-a23c-b24b48d603d6","status":"fixed","name":"Voucher Redemption Can Send Pet to Wrong Address","description":"`Voucher.redeemVoucherTo()` does not enforce that the address receiving the Pet from the Pet contract is the same receiving address specified by the associated Voucher. Although this function call is limited to the `REDEEMER_ROLE` it is still possible for human error on behalf of the team. If an incorrect address is provided for the `_to` parameter, an address different than that specified by the Voucher would receive the Pet.","severity":"low"}],"issuesCount":{"fixed":{"total":12,"low":10,"medium":1,"high":1,"critical":0},"not_fixed":{"total":7,"low":7,"medium":0,"high":0,"critical":0},"total":19},"auditor":{"name":"Quantstamp","slug":"quantstamp","auditorStatus":"active","profilePictureUrl":"https://uploads-bucket-production.s3.eu-west-1.amazonaws.com/profile-pictures/3ceaf212-b544-4f4e-b348-29badba7aa1f","tvs":{"total":74085466444,"average":330738689,"min":1,"max":37385443263},"auditsTotal":297,"contractsTotal":6630,"projectsCountByTag":{"analytics":4,"collectibles":3,"finance":96,"gaming":2,"security":2,"social":0,"wallet":2,"infrastructure":0,"privacy":0,"identity":0,"other":123,"total":224},"projectsCountByChain":{"ethereum":189,"polygon":39,"avalanche":12,"bnbchain":33,"arbitrum":44,"optimism":18,"fantom":7,"zksync":3,"base":23,"polygonZkEvm":3,"scroll":5,"blast":1,"starknet":0,"solana":17,"stellar":0,"sui":0,"tron":0,"injective":0,"ton":0,"plume":0,"peaq":0,"lukso":0,"mina":0,"astar":0,"vana":0,"fiveire":0,"zircuit":0,"total":224}},"project":{"name":"Petaverse","slug":"petaverse-1","domain":"petaverse.io","email":"contact@petaverse.io","profilePictureUrl":"https://uploads-bucket-production.s3.eu-west-1.amazonaws.com/profile-pictures/0335957c-cc3c-4051-916a-006edf95ff4d","tags":["other"],"chains":["polygon"],"links":{"website":"https://petaverse.io"},"rekts":[],"auditorsCount":1,"totalValue":0,"issuesCount":{"fixed":{"total":12,"low":10,"medium":1,"high":1,"critical":0},"not_fixed":{"total":7,"low":7,"medium":0,"high":0,"critical":0},"total":19},"lastAuditDate":1684886400000,"lastAuditAuditorName":"Quantstamp"},"contracts":[{"type":"offChainPrivate","name":"contracts/interfaces/IPet.sol"},{"type":"offChainPrivate","name":"contracts/interfaces/IOperatorFilterRegistry.sol"},{"type":"offChainPrivate","name":"contracts/Voucher.sol"},{"type":"offChainPrivate","name":"contracts/Pet.sol"}],"contractsCountByChain":{"ethereum":0,"polygon":0,"avalanche":0,"bnbchain":0,"arbitrum":0,"optimism":0,"fantom":0,"zksync":0,"base":0,"polygonZkEvm":0,"scroll":0,"blast":0,"starknet":0,"solana":0,"stellar":0,"sui":0,"tron":0,"injective":0,"ton":0,"plume":0,"peaq":0,"lukso":0,"mina":0,"astar":0,"vana":0,"fiveire":0,"zircuit":0,"offChainPublic":0,"offChainPrivate":4,"total":4},"extra":{"requestId":"bc37e966-05d9-490e-8809-7480f7d521c7"}}}],"$L27"]}]