NSUR Blog

Share on facebook
Share on twitter
Share on whatsapp
Share on email

Our Response To CertiK’s Audit and Our Move Forward

Response To CertiK's Audit & Our Move Forward

In 2021, NSUR Coin’s security contract was audited by CertiK. With CertiK recently publishing the addendum to our audit, we have decided to share our thoughts about the final outcome of CertiK’s audit to maintain complete transparency with our community.

We are happy that the CertiK team has taken the time to join forces with us and help stop scams through an auditing protocol. Our two companies share a common goal of applying blockchain technology to real-world problems, so there is little wonder why this collaboration makes so much sense. Through the output of this partnership, we hope that new community members can take confidence in NSUR Coin being a legitimate project.

In CertiK’s recently published addendum report, they only highlighted five items of which NSUR Coin token holders should be aware. We outline our response to each of these items below. 

Finding 1: Centralization Risk in NSUR.sol

CertiK states that any compromise to the privileged account which has access to _owner may allow the hacker to take advantage of this and manipulate the significant state of the project.

NSUR will be taking CertiK’s advice to carefully manage the privileged account’s private key to avoid any potential risks of being hacked. 

Here are some activities we have taken or are in the process of taking to mitigate the potential risk and enhance security: 

  • Use of multisignature wallets
  • Internal approval (2/3rds must be in agreement) for actions to be taken on multisignature wallets

Finding 2: Potential Flashloan Attack

CertiK finds that the current contract relies on price calculations that are based on-chain, meaning that they would be susceptible to flash-loan attacks by manipulating the price of given pairs to the attacker’s benefit. 

NSUR acknowledges CertiK’s finding, but finds that manipulating the token prices will not benefit an attacker in any way. There are no gains or incentives for this to be exploited. Therefore, NSUR will leave the code as-is.

Finding 3: Potential Sandwich Attack

CertiK suggests that a sandwich attack might happen when an attacker observes a transaction swapping tokens or adding liquidity without setting restrictions on slippage or minimum output amount. The attacker can manipulate the exchange rate by frontrunning (before the transaction being attacked) a transaction to purchase one of the assets and make profits by backrunning (after the transaction being attacked) a transaction to sell the asset. 

NSUR acknowledges CertiK’s finding but will leave the code as-is, as this would require the contract to be redeployed.

Finding 4: Division Before Multiplication

CertiK suggests that mathematical operations in the aforementioned function perform divisions before multiplications. Performing multiplication before division can sometimes avoid loss of precision.

NSUR acknowledges CertiK’s finding but will leave the code as-is, as this would require the contract to be redeployed.

Finding 5: Variables that could be declared as constant

CertiK suggests that linked variables could be declared as constant since these state variables are never modified.

NSUR acknowledges CertiK’s finding but will leave the code as-is, as this would require the contract to be redeployed.

FAQ Section

What is CertiK?

CertiK is a company that specializes in blockchain security and has established itself as a leader in the field.

Tackling the biggest issues plaguing the blockchain industry today, CertiK is addressing the fundamental security flaws of the current smart contract and blockchain ecosystem. By applying formal verification techniques, CertiK has successfully identified potential security risks in major projects such as Ethereum (ERC20), EOS, Qtum, Zcash and many more.

Where can I find the original audit and the addendum audit on NSUR’s code?

You can find the original audit and addendum audit on NSUR’s code if you go to this link, it has plenty of information on the audit. The audit is broken down into three parts: an ‘Overview’ of the whole audit, the Audit Scope, and their findings. The original audit is available on CertiK’s website by clicking here.

What does audited crypto mean?

A smart contract audit is like a code review, but with extra steps. It’s an extensive methodical examination and analysis of a smart contract’s code that is used to interact with a cryptocurrency or blockchain. This process is conducted to discover errors, issues and security vulnerabilities in the code in order to suggest improvements and ways to fix them.

Rosemary Peters

Rosemary Peters

Rosemary specializes in strategy and project management. She has an BSc in Engineering and an MBA from London Business School. She has spent her career working leading and operationalizing strategy projects for technology and consumer companies, including Samsung. She is overseeing and operationalizing activities related to launching NSUR. Rosemary enjoys playing with her dogs, spending time outdoors and listening to mystery podcasts.
Share on facebook
Share on twitter
Share on whatsapp
Share on email

Leave a comment