Omniscia Nevermined Audit

Data Marketplace Security Audit

We were tasked with auditing the codebase of Nevermined and in particular their core provenance-aware NFT implementation.

The system implements a decentralized identifier system which can be associated with a particular NFT and whose provenance is handled by a W3C compatible sub-system.

Over the course of the audit we were able to pinpoint several Solidity-specific issues ranging from mathematical overflows to hash colissions which we strongly urge the nevermined team to remediate as soon as possible.

Files in Scope	Repository	Commit(s)
AccessCondition.sol (ACN)	contracts	eb43dc4f43, 7c9ff50ff1
DIDFactory.sol (DID)	contracts	eb43dc4f43, 7c9ff50ff1
DIDRegistry.sol (DIR)	contracts	eb43dc4f43, 7c9ff50ff1
DIDRegistryLibrary.sol (DIL)	contracts	eb43dc4f43, 7c9ff50ff1
EscrowPaymentCondition.sol (EPC)	contracts	eb43dc4f43, 7c9ff50ff1
LockPaymentCondition.sol (LPC)	contracts	eb43dc4f43, 7c9ff50ff1
NFTUpgradeable.sol (NFT)	contracts	eb43dc4f43, 7c9ff50ff1
NFTLockCondition.sol (NFL)	contracts	eb43dc4f43, 7c9ff50ff1
NFTAccessCondition.sol (NFA)	contracts	eb43dc4f43, 7c9ff50ff1
NFTHolderCondition.sol (NFH)	contracts	eb43dc4f43, 7c9ff50ff1
TransferNFTCondition.sol (TNF)	contracts	eb43dc4f43, 7c9ff50ff1

During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 16 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

Data Marketplace Security Audit

Compilation