Download
Tokentrust Canvas Audit#
Perfect Abstractions conducted a smart contract audit of Tokentrust's Canvas Contracts from October 27th to November 10th, 2022.
The git commit hash used for the audit is 3aafa6e3c42dc5509d2e9c33bdd3780bc9006522.
Auditors:
- Gašper Pregelj
Audit report reviewed by Nick Mudge.
Overview#
The Tokentrust Canvas contracts provide a configurable token creation protocol with various sales mechanisms, distribution methods and output customizability. There is an option to create a single NFT, which is described as 1/1 or isOne in the code, or a collection of multiple NFTs. The term canvas is used to describe a single NFT in case of 1/1, or a collection.
The main contract Canvas.sol provides the entrypoint interface for transactions and view functions, while Schema.sol outlines a data storage schema which is shared across the entire protocol. It also defines utility structs and errors.
The Modules folder contains library contracts that utilize and modify the storage, which allows robust functionality within a single contract address.
The Collection folder contains an ERC721 factory contract that deploys a new ERC721 contract for each new Canvas collection. 1/1 Canvases (single NFTs) don't need new ERC721 contracts to be deployed. They are all contained within two ERC721 contracts. One is permissionless (canvasOne) and the other is curated (canvasOneCurated). To create an NFT in the curated one, you need to be permitted by the curator. To create it in the permissionless one, you do not need any permission.
The Chainlink folder contains contracts that depend on an external oracle network for verifiable decentralized on-chain randomness (VRF.sol) and contract automation (Keeper.sol).
A small subset of the protocol has dependencies on two separate contract repositories, TokenRegistry and LicenseRegistry. These were not part of the audit.
Objectives#
- Find bugs, inefficiencies, design flaws and security vulnerabilities in the code base.
- Report and make recommendations concerning what was found.
Scope#
The following files were audited:
- contracts/Schema.sol
- contracts/Canvas.sol
- contracts/Utils/Parser.sol
- contracts/Modules/View.sol
- contracts/Modules/URI.sol
- contracts/Modules/Minting.sol
- contracts/Modules/Funds.sol
- contracts/Modules/Customize.sol
- contracts/Modules/Create.sol
- contracts/Modules/Core.sol
- contracts/Collection/CanvasCreator.sol
- contracts/Collection/CanvasCollection.sol
- contracts/Chainlink/VRF.sol
- contracts/Chainlink/Keeper.sol