Cyberscope and Tangible Store Audit - Case Study
About Tangible Store
Tangible Store is a TNFT (Tangible Non-Fungible Token) marketplace. Their mission is to convert real-world assets into NFTs. These NFTs can be redeemed for the physical item at any time.
They are aiming to connect the cryptocurrency world with physical goods via well-known suppliers. The way the store works is quite simple. Right after the purchase, a Tangible non-fungible token is minted in the issuer’s wallet. This TNFT represents the corresponding physical item. Then this item is delivered to the Tangible’s storage facilities.
At any time, the owner of the TNFT can process the physical item. The possible actions are:
- Redeem it for the physical item
- Transfer it to another wallet
- Sell it on Tangible’s marketplace
Tangible Store has also its own stablecoin coin called USDR. It has been introduced to cover the ecosystem requirements. Real USD is backed by real-world assets, the real estate in the treasury. New Real USD can only be created when money flows in and is converted into real estate. This makes Real USD a safe store of value.
Cyberscope x Tangible Store
The Tangible Store was introduced to Cyberscope through the Polygon DAO ecosystem. Cyberscope is one of the trusted partners of Polygon, offering its smart contract audit services to Polygon projects and helping them with their cybersecurity needs.
The Tangible Store was looking for an experienced audit team in marketplaces and stablecoins and Polygon DAO introduced them to Cyberscope which has over 1,000 projects in its portfolio ranging from simple tokens to complex Dapps.
Tangible Store Challenges
Tangible Store has an extensive codebase that consists of numerous smart contracts. The code base at the point of contact with Cyberscope had 48 solidity files.
After the initial introduction, Cyberscope engineers started working closely with Tangible Store from day one. The Cyberscope team's initial target was to identify how all the entities are connected with each other and investigate the expected business logic for each entity. The auditors went through the documentation of Tangible Store, workflows, and graphs and kept regular contact with Tangible Store’s engineers.
As mentioned earlier the Tangible Store has introduced its own stablecoin to the marketplace. USDR is a stablecoin with a different approach from an ordinary stablecoin. The total supply reserves should guarantee that are equal to the underlying items’ values. For instance, if a real estate asset is worth $500,000 then the corresponding USDR supply should be 500,000 tokens.
This concept presents various challenges that need to be taken into consideration by the auditors. For example, how the inflation and the assets’ worth will be reflected in the USDT supply. Cyberscope engineers mapped out all the different use cases and created customized unit tests to make sure the smart contracts cover all the edge cases of the business logic.
Methodology and Approach
As a first step, Cyberscope’s auditors carefully read and reviewed all the documentation provided by the Tangible team. Then the auditors scheduled a review meeting with Tangible’s engineers to make sure they have a thorough understanding of how their ecosystem works.
Sequentially, they created various assisting materials including graphs, dependencies flows, functions tables, etc. to visualize and understand how the various smart contracts are connected. Then, they proceeded with manual line-by-line code checks starting from the main entities and components. Each auditor assigned to the project created his own audit report with findings. The reports were peer-reviewed and the cyberscope team combined and correlated each auditor’s findings in order to extract the final report.
Findings
The initial audit report consisted of an extensive 70-page report with 20 findings and comments about the micro-architecture. Some of the findings were essential to be considered by the Tangible store team for the proper operation of their ecosystem. Each finding also provided suggestions and recommendations about potential solutions. The comments included but were not limited to:
- Concerns and considerations about the Decentralized Autonomous Organization (DAO) nature of the project.
- Decimal conversion between different tokens.
- Roles access architecture.
You can find the initial full report here.
Contract Diagnostics
Severity | Code | Title |
| Medium | AFI | Affiliate Token Issue |
| Medium | STI | Staking Token Issue |
| Minor/Informative | DMI | Defractionalize Manipulation Issue |
| Minor/Informative | TBI | Token Balance Inconsistency |
| Minor/Informative | PRD | Pair Reserves Diversion |
| Minor/Informative | REE | Redundant Event Emission |
| Minor/Informative | TAZFA | Transferred Amount Zero Fees Assumption |
| Minor/Informative | AIC | Arguments Inconsistency |
| Minor/Informative | ELFM | Exceeds Fees Limit |
| Minor/Informative | DSM | Decimal Scale Missconsern |
| Minor/Informative | PIL | Potential Infinite Loop |
| Minor/Informative | STC | Succeed Transfer Check |
| Minor/Informative | CO | Code Optimization |
| Minor/Informative | L04 | Conformance to Solidity Naming Conventions |
| Minor/Informative | L09 | Dead Code Elimination |
| Minor/Informative | L11 | Unnecessary Boolean equality |
| Minor/Informative | L12 | Using Variables before Declaration |
| Minor/Informative | L13 | Divide before Multiply Operation |
| Minor/Informative | L14 | Uninitialized Variables in Local Scope |
| Minor/Informative | L15 | Local Scope Variable Shadowing |
Revisions
The audit report was just the first step in the audit process of Tangible Store’s smart contracts. The Cyberscope team is always working closely with the client in order to consult them about the findings and potential fixes or improvements they can implement. The Tangible team were quick to take action on Cyberscope’s recommendations and they either fixed or replied to all the initial findings.
Revision in an audit report is the process of reviewing and re-evaluating the audit procedures and findings as necessary in order to reach a final conclusion. This may involve repeating certain procedures and/or gathering additional evidence if the auditor's initial findings are inconclusive or if there are discrepancies that need to be resolved.
You can find the final audit report of Tangible Store in the Cyberscope audits repository.\ \ Read the full report here.
A Longterm Collaboration
The Tangible Store was impressed by Cyberscope’s team professionalism, attention to detail and delivery speed and is looking forward to keeping working with them in the long run. They are a fast-growing organization that keeps implementing new smart contracts and improving its current infrastructure.
Cyberscope is continuously tracking all the changes made by the team and provides meaningful feedback on how they can keep up with the latest cybersecurity standards.
Final Thoughts
With cryptocurrency scams reaching all-time highs, it is imperative for emerging projects like the Tangible Store to make sure they select the right cybersecurity partner and audit their smart contracts. Cyberscope’s team audit report included essential findings that helped Tangible Store’s ecosystem to improve its security and business logic and will deem essential in the scalability of the project.
And this is just the beginning. Cyberscope’s relationship with its clients goes beyond the smart contract audits to make sure they have a cybersecurity partner they can trust and rely on.
Both parties will continue to work together in order to secure and improve the Tangible Store’s ecosystem.
