Omniscia Tangible Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Tangible's NFT V2 system.
As the project at hand implements multiple asset-managing modules within the Tangible NFT system, intricate care was put into ensuring that the flow of funds & assets within the system conforms to the specifications and restrictions laid forth within the protocol's specification.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed a significant price-related flaw within the system's marketplace module which could have had severe ramifications to its overall operation; we strongly advise the Tangible team to promptly evaluate and remediate this exhibit.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was satisfactory to a certain extent, however, we strongly recommend it to be expanded at certain complex points such as the "hidden" cross-contract interaction flow described in the audit's summary.
A total of 77 findings were identified over the course of the manual review of which 29 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| CFV-01M |  |  | ISO 3166-1 Numeric-3 Standard Incompatibility |
| CFV-02M | | | Inexistent Enforcement of Registration |
| EEG-01M |  |  | Incorrect Output Amount Measurement |
| EEG-02M | | | Inexistent Sanitization of Trade Routes |
| FV2-01M | | | Incorrect Adjustment of Tangible Labs Address |
| FV2-02M | |  | Incorrect Price Assumption |
| FV2-03M | | | Inexistent Prevention of Default Payment Token Configuration |
| FV2-04M | | | Incorrect Decimal Division |
| FV2-05M | | | Inexistent Validation of Seize Expiry Duration |
| FV2-06M | | | Insufficient Validation of Seizure Validity |
| GOT-01M | | | Improper Integration of Chainlink Oracles |
| MV2-01M | | | Inexistent Restriction of Storage Payment Amount |
| MV2-02M | | | Insecure Validation of Tangible NFT Existence |
| MV2-03M |  | | Inexistent Validation of Lot Token & Price |
| ROV-01M |  | | Inexistent Normalization of Price |
| ROV-02M | | | Improper Integration of Chainlink Oracles |
| RMR-01M | | | Incorrect Maintenance of Claimed Amount Total |
| RMR-02M | | | Inexistent Deletion of Deposit Time |
| SFD-01M |  | | Inexistent Protection of Fee Distribution |
| SFD-02M | | | Inexistent Tangible Token Burn Workflow (Satellite Chain) |
| SFD-03M | | | Insecure On-Chain Trades |
| TNF-01M | | | Inexistent Usage of Function |
| TNF-02M | | | Incorrect Index Entry |
| TNF-03M | | | Inexistent Prevention of Duplicate Entries |
| TND-01M | | | Inexistent Prevention of Symbol Overwrite |
| TNT-01M | | | Incorrect Restriction of Feature Removal |
| TNT-02M | | | Unsafe Adjustment of Storage Decimals |
| TRH-01M | | | Potentially Inexposed Function Integration |
| UUO-01M | | | Mismatch of Function Specification |