Whitepaper - Cyberscope
Smart Contract Audit: Learn How to Secure Your Blockchain Project
Get Whitepaper
Background

Cyberscope and Tangible Store Audit - Case Study

Cyberscope Team
January 04, 2023
Cyberscope and Tangible Store Audit - Case Study

About Tangible Store

​​Tangible Store is a TNFT (Tangible Non-Fungible Token) marketplace. Their mission is to convert real-world assets into NFTs. These NFTs can be redeemed for the physical item at any time.

They are aiming to connect the cryptocurrency world with physical goods via well-known suppliers. The way the store works is quite simple. Right after the purchase, a Tangible non-fungible token is minted in the issuer’s wallet. This TNFT represents the corresponding physical item. Then this item is delivered to the Tangible’s storage facilities.

At any time, the owner of the TNFT can process the physical item. The possible actions are:

  • Redeem it for the physical item
  • Transfer it to another wallet
  • Sell it on Tangible’s marketplace

Tangible Store has also its own stablecoin coin called USDR. It has been introduced to cover the ecosystem requirements. Real USD is backed by real-world assets, the real estate in the treasury. New Real USD can only be created when money flows in and is converted into real estate. This makes Real USD a safe store of value.

Cyberscope x Tangible Store

The Tangible Store was introduced to Cyberscope through the Polygon DAO ecosystem. Cyberscope is one of the trusted partners of Polygon, offering its smart contract audit services to Polygon projects and helping them with their cybersecurity needs.

The Tangible Store was looking for an experienced audit team in marketplaces and stablecoins and Polygon DAO introduced them to Cyberscope which has over 1,000 projects in its portfolio ranging from simple tokens to complex Dapps.

Cyberscope Polygon Dao Village Program
Cyberscope Polygon Dao Village Program

Tangible Store Challenges

Tangible Store has an extensive codebase that consists of numerous smart contracts. The code base at the point of contact with Cyberscope had 48 solidity files.

After the initial introduction, Cyberscope engineers started working closely with Tangible Store from day one. The Cyberscope team's initial target was to identify how all the entities are connected with each other and investigate the expected business logic for each entity. The auditors went through the documentation of Tangible Store, workflows, and graphs and kept regular contact with Tangible Store’s engineers.

As mentioned earlier the Tangible Store has introduced its own stablecoin to the marketplace. USDR is a stablecoin with a different approach from an ordinary stablecoin. The total supply reserves should guarantee that are equal to the underlying items’ values. For instance, if a real estate asset is worth $500,000 then the corresponding USDR supply should be 500,000 tokens.

This concept presents various challenges that need to be taken into consideration by the auditors. For example, how the inflation and the assets’ worth will be reflected in the USDT supply. Cyberscope engineers mapped out all the different use cases and created customized unit tests to make sure the smart contracts cover all the edge cases of the business logic.

Methodology and Approach

As a first step, Cyberscope’s auditors carefully read and reviewed all the documentation provided by the Tangible team. Then the auditors scheduled a review meeting with Tangible’s engineers to make sure they have a thorough understanding of how their ecosystem works.

Sequentially, they created various assisting materials including graphs, dependencies flows, functions tables, etc. to visualize and understand how the various smart contracts are connected. Then, they proceeded with manual line-by-line code checks starting from the main entities and components. Each auditor assigned to the project created his own audit report with findings. The reports were peer-reviewed and the cyberscope team combined and correlated each auditor’s findings in order to extract the final report.

Cyberscope Tangible Store Audit Methodology
Cyberscope Tangible Store Audit Methodology

Findings

The initial audit report consisted of an extensive 70-page report with 20 findings and comments about the micro-architecture. Some of the findings were essential to be considered by the Tangible store team for the proper operation of their ecosystem. Each finding also provided suggestions and recommendations about potential solutions. The comments included but were not limited to:

  1. Concerns and considerations about the Decentralized Autonomous Organization (DAO) nature of the project.
  2. Decimal conversion between different tokens.
  3. Roles access architecture.

You can find the initial full report here: https://github.com/cyberscope-io/audits/blob/main/TNGBL/v1/usdr.pdf

Cyberscope Tangible Store Findings Analysis
Cyberscope Tangible Store Findings Analysis

Contract Diagnostics

Severity
Code
Title
MediumAFIAffiliate Token Issue
MediumSTIStaking Token Issue
Minor/InformativeDMIDefractionalize Manipulation Issue
Minor/InformativeTBIToken Balance Inconsistency
Minor/InformativePRDPair Reserves Diversion
Minor/InformativeREERedundant Event Emission
Minor/InformativeTAZFATransferred Amount Zero Fees Assumption
Minor/InformativeAICArguments Inconsistency
Minor/InformativeELFMExceeds Fees Limit
Minor/InformativeDSMDecimal Scale Missconsern
Minor/InformativePILPotential Infinite Loop
Minor/InformativeSTCSucceed Transfer Check
Minor/InformativeCOCode Optimization
Minor/InformativeL04Conformance to Solidity Naming Conventions
Minor/InformativeL09Dead Code Elimination
Minor/InformativeL11Unnecessary Boolean equality
Minor/InformativeL12Using Variables before Declaration
Minor/InformativeL13Divide before Multiply Operation
Minor/InformativeL14Uninitialized Variables in Local Scope
Minor/InformativeL15Local Scope Variable Shadowing

Revisions

The audit report was just the first step in the audit process of Tangible Store’s smart contracts. The Cyberscope team is always working closely with the client in order to consult them about the findings and potential fixes or improvements they can implement. The Tangible team were quick to take action on Cyberscope’s recommendations and they either fixed or replied to all the initial findings.

Revision in an audit report is the process of reviewing and re-evaluating the audit procedures and findings as necessary in order to reach a final conclusion. This may involve repeating certain procedures and/or gathering additional evidence if the auditor's initial findings are inconclusive or if there are discrepancies that need to be resolved.

You can find the final audit report of Tangible Store in the Cyberscope audits repository: https://github.com/cyberscope-io/audits/blob/main/TNGBL/usdr.pdf

A Longterm Collaboration

The Tangible Store was impressed by Cyberscope’s team professionalism, attention to detail and delivery speed and is looking forward to keeping working with them in the long run. They are a fast-growing organization that keeps implementing new smart contracts and improving its current infrastructure.

Cyberscope is continuously tracking all the changes made by the team and provides meaningful feedback on how they can keep up with the latest cybersecurity standards.

Final Thoughts

With cryptocurrency scams reaching all-time highs, it is imperative for emerging projects like the Tangible Store to make sure they select the right cybersecurity partner and audit their smart contracts.​ Cyberscope’s team audit report included essential findings that helped Tangible Store’s ecosystem to improve its security and business logic and will deem essential in the scalability of the project.

And this is just the beginning. Cyberscope’s relationship with its clients goes beyond the smart contract audits to make sure they have a cybersecurity partner they can trust and rely on.

Both parties will continue to work together in order to secure and improve the Tangible Store’s ecosystem.

Tags :
2023,
CASE STUDIES
Share :
Background

Subscribe To Our Newsletter

Stay updated with the latest hacks, threats, security best practices, and educational content in the crypto world right in your inbox!

Your subscription could not be saved. Please try again.
Your subscription has been successful.