Cloud9 Audit Notes

# Cloud9 Audit Notes **Auditor:** Jake Bunce **Client:** Labrys https://labrys.io/ https://gitlab.com/labrysio/Cloud9 **Commit:** `90080c67` ## Review of the protocol/implementation **[1] Constructor Could be Front Run** **Severity: Medium** **Files Affected**: https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol [initialize()](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L33) accepts arguments pertaining to RBAC roles. At deployment time the contract deployment could be front run by an attacker who inserts their address as one of the roles within the deployment. **Recommendations:** At a minimum, emit an event at deploy time with the addresses and assigned roles. Consider introspecting the contract properties with deployment tooling to verify the intended addresses/roles are correct. **[2] mint() does not return a bool** **Severity: Medium** **Files Affected:** https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol [mint()](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L83) is expected to return a bool based on a minting operation, however `status` is never returned to the calling party. **Recommendations:** Clarify the intention behind this function and return `status` if appropriate. Same applies to [claimToken](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L101), [batchSetTokenURI](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L125), [claimToken](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L101) **[3] Ambiguous function** **Severity: Medium** **Files Affected:** https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol [invalidateCloudKey()](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L148 ) has the same implementation as the previous function [setTokenURI()](https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol#L138). **Recommendations:** Clarify the intention behind these functions and if applicable remove the duplicate implementation. **[4] Clone and Own** **Severity: Low** **Files Affected:** https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/CloudKey.sol, https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/ContextMixin.sol The implementation for allowing the contract to receive NFTs has been copied and pasted. **Recommendations:** Use a package manager to properly manage third party code. **[5] Unneeded SafeMath library** **Severity: Low** **Files Affected:** https://gitlab.com/labrysio/Cloud9/-/blob/main/packages/contracts/contracts/implementations/NFTClaimPaymaster.sol The SafeMath library is not required to protect against arithmatic over/underflow operations in `>=0.8.0` of Solidity. **[6] Use of Assembly** Default AL text ## Best practices **[1] Function Comments** Functions should be well documented with intended operations and outcomes. Consider using [natspec](https://docs.soliditylang.org/en/v0.8.10/natspec-format.html) to sufficiently document the code.