Inside the Fix: QuillAudits' Strategy for Securing Virtualness Protocol

QuillAudits conducts a rigorous audit of Virtualness Protocol, identifying and rectifying 40 critical vulnerabilities to enhance the platform's security and efficiency.

vl logo filled

Virtualness, a mobile-first platform, helps creators & brands navigate Web3 by designing, minting, & showcasing digital collectibles while enabling direct community engagement & new monetization channels.

glow
bg

Before QuillAudits

  • MintData reuse risked token data manipulation where sell.order.trader matched mintData.creators[0].account and sell.order.collection.tokenId matched mintData.tokenId, lacking URI and supply validation for unintended substitutions.
  • The royalty fee transfer during lazy minting sometimes failed to send fees to the rightful recipient, as the royalty info was set after the transferFunds() call.
  • Seller orders were vulnerable to manipulation before signing, allowing changes in platform fees or other parameters by malicious signers.
  • The lack of SafeERC usage for critical operations meant tokens could be transferred without proper checks, leading to potential exploits.
  • Address role removal could cause order reverts if the minter role was removed after signing mintData, disrupting lazy minting.

After QuillAudits

  • Enhanced validation ensured sell.order.trader and sell.order.collection.tokenId matched mintData.creators[0].account and mintData.tokenId, rigorously verifying URI and supply to prevent unintended substitutions post-audit.
  • Adjusted the operation sequence to ensure royalty information is set before calling transferFunds(), which ensures the correct transfer of royalty fees
  • Implemented backend checks to calculate platform fees directly within smart contracts, ensuring they cannot be manipulated externally during the signing process of seller orders.
  • Resolved the issue by replacing direct token transfer operations with SafeERC functions like safeTransferFrom(). These functions verify the success of transfers, preventing potential exploits due to insufficient tokens or unauthorized transfers.
  • Addressed this by implementing a verification step in the lazy minting process to ensure that the signer's role is still valid at the time of minting execution. This verification prevents potential order reverts caused by the removal of the minter role after mintData signing.

Virtualness provides a mobile-first platform that empowers creators & brands to create, mint, & showcase digital collectibles like art, videos, music, & tokens. It offers customizable templates, editing tools, & direct community engagement features, bridging Web2 and Web3 for enhanced monetization opportunities.


Virtualness protocol

Virtualness is Redefining Digital Creation & Monetization Onchain

Virtualness is a blockchain platform designed to facilitate creators & brands in navigating & leveraging Web3 technologies. Currently deployed on Polygon, it enables users to create, mint, & showcase various forms of digital collectibles, including art, videos, music, & tokens. The platform offers customizable templates & editing tools to simplify the creation process. Virtualness makes it super easy for direct interaction between creators and their communities through engagement tools like polls & digital goods gifting/selling. It aims to bridge the gap between traditional Web2 platforms & Web3 by providing easy access to blockchain technology for creators, thereby unlocking new avenues for monetization in the digital space.



Addressing Virtualness Protocol’s Security Concerns

Quillaudits thoroughly audited Virtualness Protocol's 16 smart contracts, addressing security concerns such as vulnerability to manipulation and trust issues within its decentralized marketplace for digital goods. The audit involved comprehensive manual code review, functional testing, and automated analysis using tools like QuillShield and Mythril. Critical vulnerabilities, including MintData reuse and royalty fee transfer issues during lazy minting, were identified and remediated through collaboration with Virtualness. This process significantly bolstered the protocol's overall security.


virtualness

Virtualness Protocol’s Journey Through Our Audit Process

  1. Information Gathering
    • Collected and reviewed all relevant documentation, including whitepaper, technical specifications, and design documents.
    • Obtained a clear understanding of the Virtualness platform's functionality and intended user interactions.
    • Discussed client concerns and specific areas of focus for the audit.
  2. Manual Code Review:
    • Conducted a line-by-line review of the smart contract code, focusing on:
      • Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
      • Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
      • Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.
  3. Functional Testing:
    • Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
    • Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
  4. Automated Testing:
    • Employed static analysis tools like QuillShield to identify vulnerabilities through automated code scanning.
    • Utilized symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.
    • Integrated unit tests are written by the Virtualness team to verify specific contract functions and their behaviour.
  5. Reporting & Remediation:
    • Prepared a detailed report outlining all identified vulnerabilities, categorized by severity and potential impact.
    • Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
    • Collaborated with the Virtualness Protocol team to prioritize and address the identified issues.
    • Conducted additional verification testing after vulnerability fixes were implemented.

 

QuillAudits' Comprehensive Audit of Virtualness Protocol

Our methodology for Virtualness Smart Contracts combines threat modeling, a security-first mindset, and comprehensive testing, including both white-box and black-box methods. We emphasize transparency and clear communication with the Virtualness team, providing actionable insights and detailed recommendations for swift vulnerability resolution, and ensuring a robust security posture.


Comprehensive Audit Discoveries and Remediation Strategies

Our thorough and extensive audit uncovered **1 critical vulnerability, 5 Medium-severity issues, and 16 Low and 18 informational findings**.

Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:


Audit Discoveries:

Reuse of MintData for Different Orders

  • Discovery: MintData intended for one order could be incorrectly used for another if conditions such as sell.order.trader matching mintData.creators[0].account and sell.order.collection.tokenId matching mintData.tokenId are met. This loophole didn't thoroughly check other details like URI and supply during execution.
  • Impact: This could result in unintended token swaps where the wrong MintData gets applied, causing discrepancies in token characteristics and unexpected transactions.

2. Royalty Fee Transfer Issue during Lazy Minting

  • Discovery: In the fulfillLazyMintOrder function, there was an issue during lazy minting where addresses meant to receive royalty fees weren't always retrieved correctly after transferring funds with transferFunds(). This sometimes led to situations where royalty fees ended up not reaching their intended recipients, often due to incorrect or zero addresses being retrieved after the transfer.
  • Impact: This issue could disrupt how royalty fees are distributed for NFTs minted through lazy minting, which could affect revenue and incentives for users.

3. Seller Order Manipulation Before Signing

  • Discovery: Backend-added platform fees within seller orders were vulnerable to manipulation by malicious signers before the orders were officially signed. This vulnerability allowed unauthorized changes to fee structures and other order details.
  • Impact: It posed risks of financial losses and compromised trust in transactions because unauthorized alterations could skew platform fees and compromise the integrity of the orders.

4. Lack of SafeERC Usage for Critical Operations

  • Discovery: Within functions like transferFunds() and transferERC20(), there were lapses in checking critical details during token transfers. For instance, after executing transferFrom(), the system didn’t consistently verify the boolean status. This oversight could potentially allow malicious buyers to acquire tokens without actually spending any.
  • Impact: It exposed the platform to risks of token loss and exploitation, which could undermine user confidence and overall platform security.

5. Address Role Removal Considerations

  • Discovery: Issues surfaced during lazy minting lazyMint(), where revoked minter roles for those signing MintData could cause transactions to fail. This happened when individuals with revoked roles attempted to execute transactions related to MintData, resulting in transaction reversals.
  • Impact: Such occurrences could disrupt operations and lead to failed transactions during the NFT minting process, especially when the system didn’t handle removed minter roles properly.

 

Remediation Strategies:


  • Reuse of MintData for Different Orders: QuillAudits enhanced the fulfillOrder function with proper validation checks. This ensured that MintData was exclusively used for its intended order, preventing any kind of unauthorized substitutions.
  • Royalty Fee Transfer Issue during Lazy Minting: To resolve this, QuillAudits reorganized operations within fulfillLazyMintOrder. This adjustment ensured that recipient addresses were accurately retrieved before fund transfers, thereby preventing instances where royalty fees didn’t reach their intended recipients.
  • Seller Order Manipulation Before Signing: QuillAudits worked with Virtualness Protocol’s team to refine the signOrder function. By implementing cryptographic validations, they secured platform fees and order parameters post-signing, ensuring they couldn’t be tampered with.
  • Lack of SafeERC Usage for Critical Operations: QuillAudits adopted SafeERC standards across functions like transferFunds() and transferERC20(). This involved implementing robust checks to verify token transfers, thus reducing risks associated with token loss and exploitation.
  • Address Role Removal Considerations: QuillAudits recommended improvements in the logic of the lazyMint() function. This included adding checks to handle scenarios where minter roles were revoked, ensuring that MintData-related transactions continued smoothly without encountering failures due to role removal.

During the audit, several functional tests were conducted to ensure the robustness and correctness of the Virtualness protocol smart contracts.

Here are some of the critical tests performed:

ProtocolV1Core Tests:

  1. Opening and Closing:
    • The owner should be able to open and close the protocol.
  2. Token Exchange:
    • Users should successfully use fulfillOrder for selling and buying already minted tokens.
    • fulfillLazyMintOrder should work for selling and buying through lazy minting.
  3. Order Cancellation:
    • Sellers should be able to cancel their orders.
    • Incrementing the counter to cancel all orders by changing the nonce should function as expected.
  4. Order Validation:
    • Reverting if the buyer tries to buy more than what the seller wants to sell.
    • Handling order expiration time correctly.
    • Reverting if the sell signature is invalid during signer recovery.

ERC721Virtualness Tests:

  1. Minting Tokens:
    • The contract should allow minting of ERC721 tokens.
  2. Delegated Minting:
    • Delegated minting (by adding minter role) should work as intended.
  3. Lazy Minting:
    • Lazy minting of ERC721 tokens should be successful.
  4. Minter Management:
    • The owner should be able to add and remove minters.

ERC1155Virtualness Tests:

  1. Minting Tokens:
    • ERC1155 tokens should be minted correctly.
  2. Delegated Minting:
    • Delegated minting (by adding minter role) for ERC1155 tokens should function properly.
  3. Lazy Minting:
    • Lazy minting of ERC1155 tokens should work as expected.
  4. Supply Constraints:
    • Reverting if an attempt is made to mint more than the defined supply.
  5. Minter Management:
    • The owner should have control over adding and removing minters.

Impressed by our findings and recommendations, the Virtualness Protocol developers promptly addressed all identified vulnerabilities. Through our collaborative efforts, the Virtualness Protocol project is now significantly more secure, ensuring the protection of user funds.


The Virtualness Protocol’s smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Virtualness Protocol Team has taken a significant step towards securing its platform and safeguarding user trust.

Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!

Telegram