NFTLootBox_audit_report.md

Summary

This is the report from a security audit performed on NFTLootBox by MrCrambo.

The audit focused primarily on the security of NFTLootBox smart contracts.

In scope

1. https://github.com/NFTLootBox/contracts/blob/master/contracts/NFTLootbox.sol
2. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/Context.sol
3. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/SafeMath.sol
4. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/Ownable.sol
5. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/IERC20.sol
6. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/IERC1155.sol
7. https://github.com/NFTLootBox/contracts/blob/master/contracts/lib/ReentrancyGuard.sol

Findings

In total, 1 issue were reported including:

• 0 high severity issues.

• 0 medium severity issues.

• 2 low severity issues.

• 0 owner privilegies issues.

Security issues

1. Zero address checking

Severity: low severity

Description

There is no zero address checking in functions: redeemBulk, setTransferAddress, setAuthAddress, updateLootbox

Recommendation

Add zero address cehcking:

require( _to != address(0) );

2. ERC20 interface extra methods

Severity: low severity

Description

ERC20 standard does not have mint and burn function in standard description. In IERC20 interface there exist these methods. And should have name(), decimals() and symbol() methods.

Conclusion

Smart contract contains only low severity issue.