QuillAudits to the Rescue: Fixing WeeWeePad's Null Address Fund Loss and Malicious Stake Extensions

WeeWeePad provides a user-friendly platform for acquiring and staking $WEE tokens, participating in IDOs, and engaging in NFT offerings. The platform ensures fair and secure participation by implementing rigorous KYC and whitelisting procedures.

WeeWeePad: Elevating Meme Token and NFT Launches

WeeWeePad offers a streamlined platform tailored for meme token and NFT projects, emphasizing decentralized fundraising and robust community engagement. With advanced tools and comprehensive support, WeeWeePad enables successful project launches across multiple blockchain networks like Ethereum & Base. The platform empowers creators to connect with their communities, drive their own meme token growth, and navigate the complexities of the crypto space with ease.

Addressing WeeWeePad’s Security Concerns

QuillAudits identified and addressed 16 critical vulnerabilities in WeeWeePad's smart contracts, enhancing the platform’s security. Key concerns included fund loss, signature replay attacks, and improper whitelist management. By resolving these issues, QuillAudits has fortified WeeWeePad’s platform, ensuring a secure environment for its users.

WeeWeePad’s Journey Through Our Audit Process

1. Information Gathering
   1. Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
   2. Obtained a clear understanding of the Weeweepad platform's functionality and intended user interactions.
   3. Discussed client concerns and specific areas of focus for the audit.
       
2. Manual Code Review:
   1. Conducted a line-by-line review of the smart contract code, focusing on:
      1. Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
      2. Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
      3. Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.
          
3. Functional Testing:
   1. Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
   2. Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
       
4. Automated Testing:
   1. Employed static analysis tools like QuillShield to identify vulnerabilities through automated code scanning.
   2. Utilized symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.
   3. Integrated unit tests are written by the Weeweepad team to verify specific contract functions and their behaviour.
       
5. Reporting & Remediation:
   1. Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
   2. Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
   3. Collaborated with the Weeweepad Protocol team to prioritize and address the identified issues.
   4. Conducted additional verification testing after vulnerability fixes were implemented.
       

QuillAudits' Comprehensive Audit of WeeWeePad

Our audit methodology combined threat modeling, a security-first approach, and thorough testing, including both manual and automated methods. We emphasized transparency and clear communication with the WeeWeePad team to ensure effective resolution of identified issues.

Comprehensive Audit Discoveries and Remediation Strategies

Our audit revealed 6 Critical Severity vulnerabilities, 3 Medium Severity issues, 3 Low Severity issues, and 3 Informational findings.

Here’s a breakdown of the critical vulnerabilities and remediation strategies:

Audit Discoveries

1. Entire Funds Lost on the GamepadNFT Contract

Discovery: In the GamepadNFT contract, the issue was due to the company address being uninitialized in the constructor due to a coding error, causing all funds to be lost or burnt (sent to address(0)) when NFTs are purchased.
 

2. Signature Replay Attack

Discovery: The buy function in the GamepadNFT contract requires a signature operation signed by the signing key in the backend. However, it permits signature replay attacks as users can use the same signature multiple times.
 

3. Malicious Users Extending Redeem Period of Stakers

Discovery: In RoyaReserve.sol, the stake function design permits the possibility of malicious users passing staker's address with 1 wei, which can be repeatedly called to extend the redeem period of these stakers.
 

4. Unexpected Behavior from Removing Addresses

Discovery: If an address is removed from the whitelisted addresses, mapping the whitelist to false will alter the element in the whitelistItems[index[i]] leading to unexpected behavior unless the whitelistIndex mapping is updated before deleting it.
 

5. RoyaToken Holders Unable to Reduce Approval Amounts

Discovery: In RoyaleToken.sol, the custom token contract which lacked integration with the standard ERC20 contract such as the Openzeppelin library, has an approve function that always increases the amount of tokens a spender can spend, making it impossible to reduce the amount of a spender unless the spender has exhausted their approved amount.
 

Remediation Strategies

1. Entire Funds Lost on the GamepadNFT Contract

   Action: WeeWeePad fixed the initialization issue by properly setting up the company addresses during contract deployment and added additional checks to ensure that these addresses cannot be left uninitialized. This change ensures that all funds are correctly routed and managed, preventing any accidental loss or burning of assets.

   Outcome: The contract now handles funds securely, eliminating the risk of funds being lost or burned due to uninitialized addresses.
    

2. Signature Replay Attack

   Action: To prevent signature replay attacks, WeeWeePad implemented a nonce-based validation system for each transaction. Each signature now includes a unique nonce that is tracked and invalidated after use, ensuring it cannot be reused.

   Outcome: The buy function is now secure against replay attacks, with each transaction validated for uniqueness, preventing any malicious reuse of signatures.
    

3. Malicious Users Extending Redeem Period of Stakers

   Action: WeeWeePad introduced permission checks to the function responsible for modifying the redeem period. Now, only authorized addresses can extend the redeem period, ensuring that malicious users cannot exploit this functionality.

   Outcome: The redeem period for stakers is now secure, with no risk of unauthorized extensions by malicious users.
    

4. Unexpected Behavior from Removing Addresses

   Action: The whitelist management logic was overhauled by WeeWeePad to ensure proper index handling when removing addresses. This change prevents any disruption or unexpected behavior when addresses are modified within the whitelist.

   Outcome: Whitelist operations are now stable, ensuring that the removal of addresses does not cause any unexpected issues.
    

5. RoyaToken Holders Unable to Reduce Approval Amounts

   Action: WeeWeePad modified the approval mechanism in the RoyaToken contract to allow for decrementing approval amounts. This update gives token holders more control over the amount approved for spenders, ensuring they can reduce it as needed.

   Outcome: RoyaToken holders now have full control over spender approvals, including the ability to reduce previously set limits.
    

Impressed by our findings and recommendations, the WeeWeePad developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the WeeWeePad project is now significantly more secure, ensuring the protection of user funds.

The WeeWeePad smart contracts security audit identified and addressed critical vulnerabilities, enhancing platform stability and security. This audit underscores the importance of proactive security measures for blockchain projects, especially those handling financial transactions. By addressing identified issues, the WeeWeePad Team has strengthened its platform and safeguarded user trust.