Pixar - Smart Contract Audit Report
Pixar is building a platform where users can earn tokens by playing games and staking LP tokens.
For this audit we reviewed the project's NFT, BlindBox, Gov, Flip, Lock, and Staking contracts at commit 0634a94f59ef661c885bc5560f1e3779ff2c6946 on the team's GitHub repository.
Notes on the Contracts:
- This contract is made to interact with the project's NFT contract through drawing NFTs from different boxes.
- Users can spend platform tokens in exchange for minted key tokens, which can then be used to draw NFTs from boxes.
- Of these platform tokens spent, 90% are sent to a prize pool address, 5% are sent to a lable address, and 5% are sent to a user specified inviter address.
- The owner can change the cost of these key tokens at any time.
- Each NFT has a unique token ID, which is used to identify it's grade and box series.
- The owner has the ability to create new boxes at any time, and can also change a box's reward and odds to draw certain graded NFTs at any time.
- Once the user has aquired 5 NFTs of the same box series and grade, exchange them for a new NFT of the same series with a random grade assigned.
- Note that the the randomness functionality used to determine the grade of the new NFT can be manipulated to produce the same grade for every call while within a block.
- Users can cash in their NFTs for a reward if they have the required number of NFTs of each grade for a given box series.
- The reward for a certain box series can be multiple different tokens with varying amounts of each.
- We recommend disallowing contracts to interact with DrawOut by requiring msg.sender to be equal to tx.origin.
- This contract is a governance contract which allows users to propose and vote on changes to the Pix ecosystem.
- Any user can deposit platform tokens in order to create a new poll to be voted on at any time. Once the poll is complete, the user will receive this deposit back.
- Users can stake tokens on the contract, enabling them to be used to vote on different polls. Note that a user can only vote one time on a poll, regardless of the amount.
- The tokens used to vote will be locked from withdraw until the voting period ends.
- In order for a poll to pass, it must reach an owner defined quorum and pass ratio. The voting period must also be over in order to end a poll.
- Once a poll has passed, it can be executed by anyone after a delay period has passed.
- Note that the owner has the ability to change the platform token, owner, quorum, voting period, deposit, delay, and expiration at any time.
- Flip is a simple betting game where the user can bet 10, 100, or 1000 platform tokens at a time.
- The user will pass in their wager, and bet on either 1 or 0. A 1 or 0 will then be generated by the function.
- If the user guessed the correct number, they will receive 1.9x their wager.
- If a user is incorrect, they will receive some compensation based on their bet amount.
- With a loss on a 10 platform token bet, the user will receive a D grade NFT from a random box series.
- With a loss on a 100 or 1000 platform token bet, the user will receive 1 or 10 key tokens (used to draw NFTs through BlindBox), respectively.
- Warning: The number generated by betAndFlip is not truly random. While within the same block, a consistent wager will cause the function to always generate a consistent 1 or 0. This could enable a user to keep winning until the contract's funds are drained.
- We recommend disallowing contracts to interact with betAndFlip by requiring msg.sender to be equal to tx.origin.
- Users can stake the platform token on the Lock contract in order to earn rewards over time.
- For every 1000 platform tokens staked, the user will instantly be rewarded a D grade NFT of a random box series (limited to 20 per transaction).
- Users will be able to withdraw earned rewards, however will not be able to withdraw their staked tokens until the lockperiod during which they staked their tokens is over.
Audit Findings Summary
- This contract is Pix's staking platform, where users can bond different staking tokens in exchange for rewards.
- The owner of the contract can register new tokens available to stake at any time.
- In this contract, a user is able to withdraw their staked tokens at any time.
- Note that when a user withdraws their tokens, they will only receive 50% of their original deposit, while the rest will be deposited into the most current Lock reward pool.
- This contract should not be used with deflationary tokens or ERC-777 tokens. If a deflationary token is added as a staking asset, then the contract must be exempt from transfer fees.
- Both the Flip and BlindBox games can be exploited by attackers.
- Ensure trust in the team as the owner has some control of the ecosystem. The project team intends the Gov contract to have ownership of the other contracts, however this cannot be confirmed until deployment.
- Date: September 1st, 2021.
External Threat Results
|Arbitrary Storage Write||N/A||PASS|
|Delegate Call to Untrusted Contract||N/A||PASS|
|Dependence on Predictable Variables||"Random" numbers generated inside Flip.sol and BlindBox.sol are not truly random and leave the contracts vulnerable to exploitation.||FAIL|
|State Change External Calls||N/A||PASS|
|User Supplied Assertion||N/A||PASS|
|Critical Solidity Compiler||N/A||PASS|
|Overall Contract Safety||FAIL|
Details: Pixar Contract
($) = payable function # = non-constant function Int = Internal Ext = External Pub = Public