Ethos Audit — Meme Lordz ($LORDZ)
Summary of $Lordz Audit conducted by Ethos
This Audit was conducted jointly by the Ethos and Darkscope development teams. The following summarizes the details of the full Audit report provided to the client, Meme Lordz.
Overall audit result: PASS
ETH-1 — Use of non-standard SafeMath library
Description: The contract uses a non-standard version of the SafeMath library which may lead to possible integer overflow/underflow scenarios.
Risk: This can become a potentially critical scenario during variable updates which have the potential to exceed the limits of an integers upper or lower bounds. If an integer variable’s value exceeds its max value during execution, the variables value will cycle back to either its min/max value, making the entire smart contract more vulnerable to attack.
In this specific scenario, since the only values being updated is the array of _balances, and since the total supply of $Lordz can never exceed the max of uint256, there is relatively lower risk than.
Recommendation: It is highly recommended to use the OpenZeppelin SafeMath.sol library to mitigate the potential overflow/underflow instances.
Update: The team has acknowledged this risk and since the effort in redeploying and redistributing tokens far outweighs the potential risk in this specific case, it will remain acknowledged.
ETH-2 — Allowance double-spend exploit
Description: As with all other ERC-20/BEP-20 smart contracts, they are vulnerable to the allowance double-spend exploit if the use of the approve()/transferFrom() functions are not also careful to reset the allowance to 0 first and verify if it was used before setting a new value.
Risk: A bad actor may be able to submit a transaction prior to an allowance change, making it possible to use the transferFrom() function to send the initial allowance of tokens, and again be able to send the new amount of tokens after the allowance update.
Recommendation: This exploit is mitigated through the use of increaseAllowance()/decreaseAllowance() functions, which update allowances relative to its current value. Users and developers should be made aware of the issue and asked to increase/decrease allowance within their dApps and usage.
Update: The team has acknowledged this risk and will keep developers and users aware.
An automated analysis was completed by running Slither on the codebase. A total of 18 issues were detected, however, none of the issues were serious enough to be considered relevant to the security of the smart contract.
Darkscope Cyber Security Report — Summary
Darkscope Cyber InterferenceTM Risk Score
Meme Lordz has an average CIRS score and is within it is expected industry and location range. This means Demo has a normal footprint in cyberspace and an average risk of being attacked, compared with other businesses in its region and industry.
Cyber Threat Sentinel Results
The Cyber Threat Sentinel results identifies risk across four key cyber risk areas: Phishing, DDoS/RDDoS, Website Hijacking, and Ransomware and the BEP-20’s conformity. The rating scale is Low — Medium — High — Extreme. Each threat type explains how it is determined, your result and how you should interpret or react when the risk is high.
To calculate the risk of a phishing attack, we use the information an attacker has or could find in cyberspace about Demo’s people, roles, and internal processes. We incorporate past breaches, current cyber-attacks, and campaigns to determine how likely is it that an attacker would choose Demo as a target.
- We have identified a Low risk for Meme Lordz based on the analysis we did
Our system analyses the customer external-facing infrastructure using a black-box approach. This means we simulate what an attacker would be able to find in cyberspace about Demo. This includes domains, sub-domains, applications, and existing protections such as Web application firewalls or load balancers. We also include the location of services and determine the local readiness for DDoS attacks. Smaller countries like New Zealand, for example, have often limited preventive measures available due to its location and internet capabilities when compared with Germany or the US.
- We have identified a Medium risk for Meme Lordz based on the analysis we did.
Our system analysis the customer external-facing infrastructure from a black-box approach. This means we simulate what an attacker would be able to find in cyberspace about Demo. This includes domains, sub-domains, applications, and existing protections such as Web application firewalls or load balancers. Out of this information, we determine how vulnerable a customer might be.
- We have identified that Meme Lordz has a Medium-High risk of being attacked due to the application WordPress and used AddOns we have found. It is always recommended to review all external-facing applications and perform a penetration test of those to ensure there are no vulnerabilities.
To calculate the risk of Ransomware attacks, we correlate all available information and create a risk profile containing staff, product/service, and business information. Ransomware is most likely to be successful if the attacker knows about the internal processes and communications of the target. We compare this profile with thousands of other businesses in the same industry and region to create a risk value.
- Meme Lordz has a LOW risk of being targeted with ransomware.
This report is based on the scope of materials and documentation provided for a limited review at the time provided. Results may not be complete nor inclusive of all vulnerabilities. The review and this report are provided on an as-is, where-is, and as-available basis. A report does not indicate the endorsement of any particular project or team, nor guarantee its security. No third party should rely on the reports in any way, including for the purpose of making any decisions to buy or sell a product, service or any other asset. We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
About Meme Lordz
Meme Lordz is an upcoming blockchain game powered by the BSC network. A top-down RPG utilising blockchain technology to immortalise each Meme Lord as a Non-Fungible-Token. Battle, bind and collect as you journey through a mysterious land powered by the collective thought-forms of humanity.
Ethos is a a wholistic crypto services organization which specializes in bringing additional security to the crypto space by applying a proven and standardized approach to token and platform smart contract auditing.
Ethos’ team of experienced developers bring decades of development and code auditing history from the traditional software development world.
The code review conducted for Ethos audits follow the following structure:
- Review of specifications, documentation to assess smart contract functionality
- Manual, line-by-line review of code
- Code’s adherence to functionality as presented by documentation
- Automated tool-driven review of smart contract functionality
- Assess adherence to best practices
- Provide actionable recommendations
Darkscope is an award-winning personalised cyber intelligence service provider. It is a joint human and AI business with a dedication to developing, training and using artificial intelligence to make its human expertise better, the experience better and more consistent for its clients, and of course to provide better value solutions.
With its own cutting-edge AI and Deep Artificial Neural Networks — DANN strategically placed throughout the dark web, Darkscope leads the world of cyber intelligence solutions.