<div align="center"> # 🛡️ TRUMARKET Smart Contract Friendly Audit Results **Document Date**: `12-03-2023` **Repo**: `https://github.com/CapdeO/TruMarket-BB/tree/main/blockchain` **Commit Hash**: `0908dd56c1720d5f4989362848fcb81eb8d65cb4` </div> > **Risk Assessment**: **MEDIUM** > **Total Recommendations**: `2` > **Total Remarks**: `0` > **Minor Flaws**: `1` > **Major Flaws**: `2` > **Critical Flaws**: `0` --- ## Optimizations & Recommendations ### 1. Contracts should have unique names in a project 📍 **Location**: `contracts/NftFactory.sol` 📍 **Location**: `contracts/NFT1155.sol` 📝 **Details**: The contract ```Factory``` appears twice in the project ### 2. Contract and Interfaces should have one file each 📍 **Location**: `contracts/NftFactory.sol`, `contracts/NFT1155.sol` 📝 **Details**: Consider separating `IUSDT`, `Factory`, `FinancingContract` and `FinancingContract1155` into separate files Interfaces and contracts can be imported, for example, as : ```solidity import { IUSDT} from './IUSDT.sol'; ``` ### 3. Tests coverage is very low 📝 **Details**: All smart contract functions should have a unit test ### 4. It is good practice to not store token metadata on the smart contract storage. 📝 **Details**: Consider storing metadata as json on IPFS and using `IERC1155MetadataURI` extension --- ## Minor ### 1. Check-effects-interactions should always be followed, even on access controlled, but especially on public functions 📍 **Location**: `NftFactory.sol:buyFraction` ```solidity for (uint8 i=0; i<_amount; i++) { _safeMint(msg.sender, _nextTokenId); _nextTokenId++; } ``` https://docs.soliditylang.org/en/v0.8.18/security-considerations.html#re-entrancy 📝 **Details**: A state variable is being changed after a transfer --- ## Major ### 1. Return value of token transfers should be handled and not ignored 📍 **Location**: `NftFactory.sol:setBuyBack` 📍 **Location**: `NftFactory.sol:withdrawBuyBack` ```solidity usdt.transfer(...); ``` 📝 **Details**: The functions that have transfers will not revert if the transfer fails, which can be an attacker vector. ### 2. FactoryFunc function is public. 📝 **Details**: Any wallet can create a token, by calling the smart contract directly ## Critical # 🛡️ TRUMARKET Frontend Comments **Document Date**: `12-03-2023` **Repo**: `https://github.com/CapdeO/TruMarket-BB/tree/main/client` **Commit Hash**: `d2e6e009981ab9a3cbf213f62524e0b2d87b1409` ## Remarks ### 1. Frontend does not detect selected chain on wallet 📝 **Details**: There are errors in the console because the hooks are querying smart contracts that don't exist if the wallet is on a different chain ### 2. No wallet connection visible on frontend ### 3. Consider using `wagmi` or `viem` instead of `ethers` directly 📍 **Location**: `client/src/hooks/useBlockchain.js` 📝 **Details**: Wagmi for example has hooks that could solve some issued currently faced, like wallet connection and active chain ### 4. Dot env files should never be pushed to a repo, especially a public one 📝 **Details**: The env file is publicly accessible and contains an alchemy API key ### 5. Frontend performance will be degraded for a large number of NFTs 📝 **Details**: Consider using a subgraph to index the outstanding NFTs to be consumed by the frontend