Cross-chain protocol providing NFT2.0 features in a few clicks.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://github.com/dao-envelop/envelop-protocol-v1/blob/master/contracts/WrapperBaseV1.sol |
Smart Contract | Critical | Bounty |
https://github.com/dao-envelop/envelop-protocol-v1/blob/master/contracts/EnvelopwNFT721.sol |
Smart Contract | Critical | Bounty |
https://github.com/dao-envelop/envelop-protocol-v1/blob/master/contracts/EnvelopwNFT1155.sol |
Smart Contract | Critical | Bounty |
https://github.com/dao-envelop/envelop-protocol-v1/blob/master/contracts/AdvancedWhiteList.sol |
Smart Contract | Critical | Bounty |
General
Documetation - https://docs.envelop.is/tech/smart-contracts/protocol/v1/wrapperv1
Known Issues/Identified Issues:
- There are no more than 25 slots in wNFT
- There is a whitelist of assets that are managed only by the admin.
- Recommendations from the audit - https://github.com/dao-envelop/envelop-protocol-v1/blob/master/audit/20230420_iber_envelop_audit_rev2.pdf
At Envelop, we classify bugs on a widely used scale. For version 1 of the protocol, we identify the following directions of attack:
Critical
- Blocking to user unwrapping of wNFT and getting collateral
- User`s funds losing during wrapping or adding collateral
- Withdrawing tokens of collateral without unwrapping of own or someone else's wNFT
- Withdrawing original NFT without unwrapping of own or someone else's wNFT
- Getting collateral tokens during unwrapping of wNFT more than was added in it
- Increasing amount of collateral tokens in accounting registers of smart contracts
- Decreasing amount of collateral tokens in accounting registers of smart contracts
- Changing owner of smart contracts
- Withdrawing native tokens from smart contracts addresses of protocol
- Withdrawing ERC20 tokens from smart contracts addresses of protocol
- Withdrawing ERC721 or ERC1155 tokens from smart contracts addresses of protocol
High
- Unauthorized Adding address of smart contract in whiteList
- Unauthorized Adding address of smart contract in blackList
Medium
- Unbounded gas consumption
- Increasing of gas consumption with every next operation
- Blocking possibility to wrap NFT
- Blocking possibility to add collateral to wNFT
Low
- Creation of conditions to get-methods return wrong data
IN-SCOPE: SMART CONTRACT VULNERABILITIES
- We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Attacks on logic (behavior of the code is different from the business description)
- Reentrancy
- Reordering
- Over and underflows
OUT OF SCOPE: SMART CONTRACT VULNERABILITIES
- Theoretical vulnerabilities without any proof or demonstration
- Old compiler version
- The compiler version is not locked
- Vulnerabilities in imported contracts
- Code style guide violations
- Redundant code
- Gas optimizations
- Best practice issues
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps
The Envelop protocol allows you to send liquid (can be sold at any time) NFTs with additional features (in this case, setting a lock on the withdrawal of collateral, before the deadline). We would prefer this method of payment.
Level Rewards, wNFT with NIFTSY Tokens Time-lock (Weeks)
- Critical - 1000000 NIFTSY -40
- High - 400000 NIFTSY -20
- Medium - 100000 NIFTSY - 10
- Low - 25000 NIFTSY - 4