Faraland certified by CertiK
Faraland passed a comprehensive inspection for the source code conducted by leading auditing firm CertiK. Faraland and smart contracts are claimed to have reached absolute security.
Last updated
Faraland passed a comprehensive inspection for the source code conducted by leading auditing firm CertiK. Faraland and smart contracts are claimed to have reached absolute security.
Last updated
Faraland, a game blockchain within the genre of turn-based strategy and RPG game with NFT hero is the core product, chose to perform its smart contract audit with CertiK, the leading formal verification platform for smart contract and blockchain audits, to ensure that its token is secure against some of the most critical vulnerabilities. With a platform that will be used across the world, Faraland placed an extra emphasis on security, so the choice to work with CertiK is extremely necessary. About CertiK — World-Class Auditor CertiK is a blockchain and smart contract verification platform founded by top formal verification experts from Yale and Columbia University and former senior software engineers from Google and Facebook. Different from the traditional testing approaches, CertiK attempts to mathematically prove blockchain ecosystem and smart contracts are hacker-resistant and bug-free. CertiK’s key features include a layer-based decomposition approach, pluggable proof engine, machine-checkable proof objects, certified dApp libraries, and smart labeling. Trusted by the security industry, CertiK has reached strategic partnerships with the world’s top Exchanges such as Binance, OKEx, and Huobi, as well as Public Chains such as NEO, ICON, and QuarkChain. CertiK is incubated and invested by Binance Labs, along with other world’s leading investors such as DHVC, FBG Capital, Bitmain, and Lightspeed. In order to raise the level of security to the highest, Faraland has chosen a leading auditor like CertiK to ensure that code security is top-notch. Now the company has published an official audited report for Faraland. Auditing Process The audit was performed by experienced economists, security researchers, and security engineers from CertiK, in collaboration with the Faraland research and development team. CertiK performed a comprehensive assessment of Faraland’s smart contracts to check for vulnerability. The auditing process pays special attention to the following considerations: Testing the smart contracts against both common and uncommon attack vectors. Assessing the codebase to ensure compliance with current best practices and industry standards. Ensuring contract logic meets the specifications and intentions of the client. Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders. Thorough line-by-line manual review of the entire codebase by industry experts. The Highlights of the Audited Report CertiK has found no critical issues on Faraland. Only one major and some medium issues have been found and the team has already handled all those issues by following the CertiK team’s advice. That means that the security aspect of the Faraland System is of high level. For technical details, refer to the full audit report from Certik here at our GitHub repository: https://github.com/faraland/audit-reports/blob/master/Report_Faraland_Security_Analysis_By_Certik.pdf For technical details about the issues and how to handle them, we have done just as described below; ECK-01 | Incorrect Fee Severity: Medium Description: rollEquipmentGacha() will mint random equipment. However its charges upgradeFeeInToken, rather than mintFeeInToken. Recommendation: double-check the fee mechanism to make sure the fee-charging is reasonable. ECK-02 | Potential Over Mint Severity: Medium Description: It is dangerous to change balances without checking item.maxSupply and item.minted. Suppose an item has the property maxSupply=10 and minted=9. The operator then call mint (account, id, 1). This will update item.minted=10. Users can still call upgradeItem() to burn the last tier of this item to mint this item. This will cause minted > maxSupply. Recommendation: check item.maxSupply and item.minted before updating balances and _item.minted. MKC-02 | Lack of Reentrancy Check Severity: Major Description Calling MoonKnight.buy(), MoonKnight.sacrificeKnight(), MoonKnight.cancel0ffer() and MoonKnight.take0ffer() might trigger function address.call(), which is implemented by the third party. If there are vulnerable external calls in the third party, reentrancy attacks could be conducted because these four functions have state updates and event emits after external calls. The scope of the audit would treat the third-party implementation as a black box and assume its functional correctness. However, third parties may be compromised in the real world that leads to assets lost or stolen. Recommendation: applying OpenZeppelin ReentrancyGuard library — nonReentrant modifier for the aforementioned functions to prevent reentrancy attack. Why Audit Matters? CertiK audit helps enhance the security of Faraland smart contracts to an international standard level. The aim of MoonKnight Labs is to make Faraland become the biggest war game on Blockchain and specifically on Binance Smart Chain. Also, we want to assure that our users can use Faraland with confidence and we always aim to keep Faraland at the best security level.
