Plots

Smart Contract Audit Report

Executive Summary

This report presents the outcomes of our collaborative engagement with the Plots Finance team, focusing on the comprehensive evaluation of the PlotsCore, PlotsTreasury, and PlotsLend contracts.

Plots Finance is building a decentralized platform for borrowing and lending NFTs. Users can list their NFTs for others to borrow, while the platform's native VLND token is used for tokenization, backed by the Treasury's value.

Our team conducted an initial security assessment from September 9th to September 13th, 2024. On September 16th, 2024, our team amended this report to reflect updates made to the PlotsCore contract by the project team that resolves all findings.

Audit Scope

Name	Source Code	Visualized
PlotsCore	`0da5412`	Inheritance Chart. Function Graph.

Name/Source Code	Visualized
PlotsCore `0da5412`	Inheritance Chart. Function Graph.

Audit Findings

All findings have been resolved. In addition, minimal centralized aspects are present.

Finding #1	PlotsCore	LowResolved
Finding #1 - PlotsCore LowResolved
Description: The condition `msg.sender == Treasury` in the require statement within the CloseLoan() function is intended to verify if the caller is the Treasury contract. However, the Treasury contract currently lacks any logic that would invoke the CloseLoan() function. `require( AllLoans[AllLoansIndex[Collection][ID]].Borrower == msg.sender \|\| Admins[msg.sender] \|\| AllLoans[AllLoansIndex[Collection][ID]].Lender == msg.sender && UsageExpirationUnix[Collection][ID] < block.timestamp \|\| msg.sender == Treasury, "Invalid loan" );` Risk/Impact: The Treasury contract is unable to call the CloseLoan() function, which could prevent it from closing loans if that functionality was intended by the team. Recommendation: The above condition should either be removed or the team should modify the Treasury contract to include logic for calling the CloseLoan() function, depending on the intended design. Resolution: The team has removed the `msg.sender == Treasury` condition.
Finding #2	PlotsCore	InformationalResolved
Finding #2 - PlotsCore InformationalResolved
Description: The Treasury address is added as an Admin in the constructor, but since the Treasury address has not been set yet, the zero address (0x00) is added instead. As a result, the Treasury address is not granted Admin privileges as may have been intended by the team. Recommendation: The team should either remove this logic or set the Treasury address in the constructor or at the time of declaration to properly grant Admin privileges to the Treasury. Resolution: The team has removed the corresponding logic from the constructor.
Finding #3	PlotsCore	InformationalResolved
Finding #3 - PlotsCore InformationalResolved
Description: The ModifyCollection() function allows the team to add or remove collections from the `ListedCollections` array. However, it lacks checks for duplicate additions and attempts to remove non-existent collections. If a non-existent collection is removed, a listed collection will be inadvertently removed. Recommendation: The following logic could be added to the ModifyCollection() function to avoid adding duplicate addresses or removing addresses that are not currently listed. `function ModifyCollection(address _collection, bool addRemove) public OnlyAdmin { if (addRemove) { require(!ListedCollectionsMap[_collection], "Collection already listed"); ... else { require(ListedCollectionsMap[_collection], "Collection not listed");` Resolution: The team has implemented the above recommendation.
Finding #4	PlotsCore	InformationalResolved
Finding #4 - PlotsCore InformationalResolved
Description: The BorrowToken() function declares the local variable `TokenOwner`, but instead of using it, the function references `ListingsByCollection[Collection][TokenIndex].Lister`, which could be simplified by using `TokenOwner`. Recommendation: To optimize gas usage, the logic in the BorrowToken() function could reference `TokenOwner` instead of `ListingsByCollection[Collection][TokenIndex].Lister` for more efficient calls. Resolution: The team has implemented the above recommendation.
Finding #5	PlotsCore	InformationalResolved
Finding #5 - PlotsCore InformationalResolved
Description: The `FeeReceiver` address is not used in the contract. Recommendation: The `FeeReceiver` address and ChangeFeeReceiver() function could either be removed to reduce contract size and deployment costs or utilized in a way that fits the project team's intended functionality. Resolution: The team has stated the `FeeReceiver` address is meant to provide transparency, allowing users to see where rewards are being allocated. Although it’s not directly used in the contract, it is utilized by the backend rewards system.

System Overview

Configuration

The PlotsCore deployer will specify a list of addresses that will be granted Admin privileges. Any Admin address can add/remove any user's Admin privileges at any time. The Admin can permanently set the Treasury address and Lend address referenced in the contract one time.

Modify Collection

Any Admin address can specify an NFT Collection address to add to the platform or remove from the platform at any time.

Set Collection ETH Value

Any Admin address can specify a list of NFT collections and corresponding ETH values that will be linked together in the Treasury. Each collection address must have been previously listed in the PlotsCore contract.

NFT Deposits

Any user can initiate a deposit in the PlotsLend contract by specifying a Collection address that has been added to the platform and any of their owned NFT ID's from the collection. The specified NFT is transferred from the caller to the PlotsLend contract. The listing is added on behalf of the collection address and caller's address in the PlotsCore contract. Users may elect to initiate multiple deposits in a single transaction.

Any Admin address can initiate a deposit via the Treasury by specifying a Collection address that has been added to the platform and any of their owned NFT ID's from the collection. The specified NFT is transferred from the caller to the PlotsLend contract. The listing is added on behalf of both the collection address and the Treasury address in the PlotsCore contract. Admins may elect to initiate multiple deposits in a single transaction.

NFT Borrowing

Any user can initiate the borrowing process by specifying a Collection address that has been listed, NFT ID, and a loan duration of either three or six months. The caller must not currently have an active loan associated with their address.

The loan is added to the list of active loans and the listing is removed from the platform. If the lender is the Treasury, the NFT is delegated to the borrower via the Treasury contract. If the lender is a different user (not the Treasury) the NFT is delegated to the borrower via the PlotsLend contract. The Delegation contracts are out of scope for this audit so our team is unable to provide an assessment with regard to their security.

Close Loan

Users can close an active loan for a specified NFT collection address and NFT ID. The caller must either be the borrower, the lender, an Admin, or the Treasury. If the caller is the lender, the loan must have expired before they can close it. The borrower, an Admin, or the Treasury can close a loan even if the loan has not expired. Upon closing the loan, the corresponding delegations are revoked via the Delegation contracts, and the NFT is either returned to its original owner or re-listed if the Treasury is involved. The system updates the loan records, marks the loan as closed, and removes the borrower’s active status.

NFT Withdrawals

Any user can initiate a withdrawal in the PlotsLend contract by specifying a Collection address and NFT ID they have previously deposited. If the NFT is currently listed in the Core contract, it is automatically delisted. The specified NFT is transferred from PlotsLend contract to the caller. Users may elect to initiate multiple withdrawals in a single transaction.

Any Admin address can initiate a withdrawal in the Treasury by specifying a Collection address and NFT ID that currently belongs to the Treasury. The specified NFT is transferred from the Treasury to the caller. The NFT is automatically delisted in the PlotsCore contract. Admins may elect to initiate multiple withdrawals in a single transaction.

Terminate Borrowers

Any Admin address can terminate active loans for multiple NFTs across different collections in a single transaction. Admins specify a list of Collection addresses and corresponding NFT IDs. The system automatically closes all active loans associated with the specified NFTs, and the borrowers may be optionally blacklisted, permanently preventing them from initiating any borrowing process in the future.

VLND Purchases

Any user can initiate a purchase of VLND tokens by providing an amount of ETH and a minimum amount of tokens that must be received for the transaction to successfully occur. The number of VLND tokens minted to the user is based on the amount of provided ETH and the current calculated price per token. This value must exceed the minimum amount specified by the caller.

VLND Sells

Any user can sell a specified amount of VLND tokens for ETH at any time. The tokens are first transferred from the caller to the contract, where they are subsequently burned. The caller can also specify a minimum amount of ETH that must be received for the transaction to successfully occur. The contract’s ETH balance must remain above 5% of the total Treasury value after the transaction occurs. The calculated ETH amount is transferred from the contract to the caller.

Remaining Admin Controls

Any Admin address can transfer all of the ETH or tokens from the Treasury contract to any recipient address at any time. Any Admin address can pause or unpause purchases and sells of the VLND token at any time. Any Admin address can set the VLND address referenced in the contract to any address at any time.

Vulnerability Analysis

Vulnerability Category	Notes	Result
Arbitrary Jump/Storage Write	N/A	PASS
Centralization of Control	The project team has control over the Admin-restricted functionality described above.	PASS
Compiler Issues	N/A	PASS
Delegate Call to Untrusted Contract	N/A	PASS
Dependence on Predictable Variables	N/A	PASS
Ether/Token Theft	N/A	PASS
Flash Loans	N/A	PASS
Front Running	N/A	PASS
Improper Events	N/A	PASS
Improper Authorization Scheme	N/A	PASS
Integer Over/Underflow	N/A	PASS
Logical Issues	N/A	PASS
Oracle Issues	N/A	PASS
Outdated Compiler Version	N/A	PASS
Race Conditions	N/A	PASS
Reentrancy	N/A	PASS
Signature Issues	N/A	PASS
Sybil Attack	N/A	PASS
Unbounded Loops	N/A	PASS
Unused Code	N/A	PASS
Overall Contract Safety		PASS

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

Go Home