Virtualness, a mobile-first platform, helps creators & brands navigate Web3 by designing, minting, & showcasing digital collectibles while enabling direct community engagement & new monetization channels.
QuillAudits conducts a rigorous audit of Virtualness Protocol, identifying and rectifying 40 critical vulnerabilities to enhance the platform's security and efficiency.
Virtualness provides a mobile-first platform that empowers creators & brands to create, mint, & showcase digital collectibles like art, videos, music, & tokens. It offers customizable templates, editing tools, & direct community engagement features, bridging Web2 and Web3 for enhanced monetization opportunities.
Virtualness is a blockchain platform designed to facilitate creators & brands in navigating & leveraging Web3 technologies. Currently deployed on Polygon, it enables users to create, mint, & showcase various forms of digital collectibles, including art, videos, music, & tokens. The platform offers customizable templates & editing tools to simplify the creation process. Virtualness makes it super easy for direct interaction between creators and their communities through engagement tools like polls & digital goods gifting/selling. It aims to bridge the gap between traditional Web2 platforms & Web3 by providing easy access to blockchain technology for creators, thereby unlocking new avenues for monetization in the digital space.
Quillaudits thoroughly audited Virtualness Protocol's 16 smart contracts, addressing security concerns such as vulnerability to manipulation and trust issues within its decentralized marketplace for digital goods. The audit involved comprehensive manual code review, functional testing, and automated analysis using tools like QuillShield and Mythril. Critical vulnerabilities, including MintData reuse and royalty fee transfer issues during lazy minting, were identified and remediated through collaboration with Virtualness. This process significantly bolstered the protocol's overall security.
Our methodology for Virtualness Smart Contracts combines threat modeling, a security-first mindset, and comprehensive testing, including both white-box and black-box methods. We emphasize transparency and clear communication with the Virtualness team, providing actionable insights and detailed recommendations for swift vulnerability resolution, and ensuring a robust security posture.
Our thorough and extensive audit uncovered **1 critical vulnerability, 5 Medium-severity issues, and 16 Low and 18 informational findings**.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
Reuse of MintData for Different Orders
sell.order.trader
matching mintData.creators[0].account
and sell.order.collection.tokenId
matching mintData.tokenId
are met. This loophole didn't thoroughly check other details like URI and supply during execution.2. Royalty Fee Transfer Issue during Lazy Minting
fulfillLazyMintOrder
function, there was an issue during lazy minting where addresses meant to receive royalty fees weren't always retrieved correctly after transferring funds with transferFunds()
. This sometimes led to situations where royalty fees ended up not reaching their intended recipients, often due to incorrect or zero addresses being retrieved after the transfer.3. Seller Order Manipulation Before Signing
4. Lack of SafeERC Usage for Critical Operations
transferFunds()
and transferERC20()
, there were lapses in checking critical details during token transfers. For instance, after executing transferFrom()
, the system didn’t consistently verify the boolean status. This oversight could potentially allow malicious buyers to acquire tokens without actually spending any.5. Address Role Removal Considerations
lazyMint()
, where revoked minter roles for those signing MintData could cause transactions to fail. This happened when individuals with revoked roles attempted to execute transactions related to MintData, resulting in transaction reversals.
fulfillOrder
function with proper validation checks. This ensured that MintData was exclusively used for its intended order, preventing any kind of unauthorized substitutions.fulfillLazyMintOrder
. This adjustment ensured that recipient addresses were accurately retrieved before fund transfers, thereby preventing instances where royalty fees didn’t reach their intended recipients.signOrder
function. By implementing cryptographic validations, they secured platform fees and order parameters post-signing, ensuring they couldn’t be tampered with.transferFunds()
and transferERC20()
. This involved implementing robust checks to verify token transfers, thus reducing risks associated with token loss and exploitation.lazyMint()
function. This included adding checks to handle scenarios where minter roles were revoked, ensuring that MintData-related transactions continued smoothly without encountering failures due to role removal.During the audit, several functional tests were conducted to ensure the robustness and correctness of the Virtualness protocol smart contracts.
Here are some of the critical tests performed:
Impressed by our findings and recommendations, the Virtualness Protocol developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the Virtualness Protocol project is now significantly more secure, ensuring the protection of user funds.
The Virtualness Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Virtualness Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!