ERC Security Audit

We were tasked with auditing the ERC-721 NFT Securitizer codebase of Nftfy that enables users to split their NFTs into a share-based ERC20.

The system is composed by an ERC721 wrapper that is associated with an actual ERC721 in a one-to-one fashion and enables the creator of the wrapper, in the case of the Nftfy system the Nftfy contract, to issue new units of the wrapped ERC721 by locking it within an ERC721Shares contract via the securitize function the Nftfy contract exposes.

This closed loop system ensures that the ERC721 is held at all times by the contract containing the underlying shares and the wrapped NFT can either be held by the share contract or the issuer of the shares. In either case, liquidation of the share-based contract is possible by optionally providing a set of shares to burn as well as an amount of tokens or ether to complement the total to achieve the price at which the NFT shares were minted at.

When the wrapped NFT is transferrable by setting the _remnant flag to true, the liquidation of the underlying share-based contract can only occur by the owner of the wrapped NFT. This allows multiple types of NFT share-based custody to manifest.

During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 17 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style