Omniscia NFTFY Audit
Wrapper Static Analysis Findings
Wrapper Static Analysis Findings
WRA-01S: Inexistent Input Sanitization
| Type | Severity | Location |
|---|---|---|
| Input Sanitization | Minor | Wrapper.sol:L36-L39 |
Description:
The constructor of the contract does not properly sanitize the input variable _target potentially causing unwanted side effects.
Example:
36constructor (string memory _name, string memory _symbol, IERC721 _target) ERC721(_name, _symbol) public37{38 target = _target;39}Recommendation:
Sanitization should be imposed for the variable by guaranteeing that it is not equal to the zero address to ensure that the contract does not misbehave.
Alleviation:
The Nftfy team responded by stating that they intend to not add this sanitization check to the codebase as the Nftfy.securitize function will fail regardless.
WRA-02S: Unutilized Return Value
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Informational | Wrapper.sol:L60 |
Description:
The linked add invocation on the EnumerableSet.AddressSet returns a bool that represents whether the action was successful, yet here it is unused.
Example:
56function _insert(address _from, uint256 _tokenId, bool _remnant, ERC721Shares _shares) public onlyOwner57{58 require(shares[_tokenId] == ERC721Shares(0));59 shares[_tokenId] = _shares;60 history.add(address(_shares));61 address _holder = _remnant ? _from : address(_shares);62 _safeMint(_holder, _tokenId);63 IERC721Metadata _metadata = IERC721Metadata(address(target));64 string memory _tokenURI = _metadata.safeTokenURI(_tokenId);65 _setTokenURI(_tokenId, _tokenURI);66}Recommendation:
We advise that the return value is utilized via a require check to ensure that the address was properly added to the set.
Alleviation:
An assert statement was introduced instead that validates proper execution of the linked function.