Security Research Firm Trail of Bits Completes Independent Audit of LooksRare Smart Contracts
We’re proud to announce that security research firm Trail of Bits has completed an independent third-party audit of LooksRare smart contracts.
This post will get a bit technical, as we’ll go into detail about how the audit worked and our responses to their comments, so here’s the TL;DR up top:
Summary of Findings
The audit did not uncover any significant flaws that could result in the compromise of a smart contract, a loss of funds, or unexpected behavior.
A summary of the findings and details on notable findings are provided in the full audit report.
Alright, let’s get into the details. 🤓
Coverage
LooksRare engaged Trail of Bits to undertake a security audit of the following contracts, libraries, and strategies:
- LooksRare Exchange
- Manager Contracts (CurrencyManager, ExecutionManager, and RoyaltyFeeManager)
- Execution Strategies
- Exchange Libraries
- Exchange—Royalty Fee Helper Contracts
- Exchange—Transfer Manager Contracts
- Token Staking—TokenDistributor
- Token Staking—FeeSharingSystem
- Token Staking—LooksRareToken
Project Scope
Trail of Bits’ testing efforts were focused on identifying flaws that could result in the compromise of a smart contract, a loss of funds, or unexpected behavior. They conducted this audit with full knowledge of the target system, including access to the source code and limited documentation. They performed static analysis and a manual review of LooksRare’s Solidity components.
Findings of the Audit
In the audit, Trail of Bits identified 15 findings ranging from “High” to “Informational” severity:
The severity levels used in the audit are defined as follows:
LooksRare’s Response
In the interest of transparency, we’ve prepared a list of the Trail of Bits team’s findings, along with our responses to the findings and additional comments from the LooksRare team.
1. Lack of chain ID validation allows reuse of signatures across forks (High)
Our Response: Acknowledged.
Additional Comments: Although this is a valid risk (if there were a chain split of Ethereum), LooksRare has a risk mitigation policy; the LooksRare team plans to discontinue all strategies on one of the two forks in the event of a chain split. It is worth noting that a chain split of Ethereum would have much greater impact than just LooksRare, like on NFTs (all items being duplicated on both chains), stablecoins, or the whole DeFi ecosystem.
2. Lack of two-step process for contract ownership changes (High)
Our Response: Acknowledged.
Additional Comments: LooksRare’s exchange contract relies on OpenZeppelin’s battle-tested Ownable contract, which is used by a large number of projects in the space. The ownership of the exchange is held by a multisignature contract that allows multiple parties to verify the future owner address. If the ownership were transferred to the wrong address, it wouldn’t impact existing orders since there are safeguards in place at the maker/EIP-712 order level (to protect against unexpected change in royalties).
The LooksRare team believes that rolling out a custom implementation for Ownable could have introduced potential risks, outweighing potential benefits. However, the team may suggest this improvement to OpenZeppelin in the future.
3. Project dependencies contain vulnerabilities (Medium)
Our Response: Acknowledged.
Additional Comments: Smart contracts are already deployed on the Ethereum blockchain. Dependencies have been adjusted and fixed when possible.
4. Users that create Ask orders are unable to modify minPercentageToAsk (Low)
Our Response: Acknowledged.
Additional Comments: It is planned to emphasize visually the maximum royalty fee that a collection owner can collect is more accurately displayed on the site. When the platform launched, it was decided to set up a default, limited royalty range on the site to ensure that collection owners who hadn't set up their collections on LooksRare would still receive royalties, and prepare for any potential changes they might make.
5. RoyaltyFeeSetter and RoyaltyFeeRegistry owners should not be allowed to set the royalty information for an NFT collection (Low)
Our Response: Acknowledged.
6. Insufficient protection of sensitive information (Low)
Our Response: Acknowledged. The team will follow the recommendation.
7. Contracts used as dependencies do not track upstream changes (Low)
Our Response: Acknowledged.
8. Missing events for critical operations (Low)
Our Response: Acknowledged.
Additional Comments: Adding an extra event would require added gas. ERC20 tokens already incorporate events and missing information can be retrieved using alternative methods since strategy fees are fixed (on each strategy contract).
9. Taker orders are not EIP-712 signatures (Informational)
Our Response: Rejected.
Additional Comments: Introducing EIP-712 signatures on Taker orders would require added gas (i.e., second verification of signatures) and require significant architecture changes for UX problems inherent to providers like MetaMask.
10. Solidity compiler optimizations can be problematic (Informational)
Our Response: Acknowledged.
11. isContract may behave unexpectedly (Informational)
Our Response: Acknowledged.
Additional Comments: The LooksRare team couldn’t find a case for potential exploits since it would require changes (EOA → Contract or Contract → EOA) in the same transaction as the taker order.
12. Order strategy has full control of the tokenID and amount used when matching two orders (Informational)
Our Response: Acknowledged.
Additional Comments: This is a design decision, and we plan to be cautious in incorporating future strategies that would come from the community as the protocol becomes more decentralized over time.
13. Arbitrary maker order params may increase chance of phishing (Informational)
Our Response: Acknowledged.
Additional Comments: There are plans to add additional documentation for normal users to help them understand how the params field is used in future strategies that will require them.
14. Use of legacy openssl version in solidity-coverage plugin (Informational)
Our Response: Acknowledged. There’s no current plan to fix this, but we may reach out to the teams behind the plugin on GitHub for them to update the dependency.
15. Typescript compiler errors during deployment (Informational)
Our Response: Acknowledged.
Conclusion
It’s been great to work with the Trail of Bits team on this audit, and we’re grateful for the team’s comprehensive and diligent research. While it’s encouraging that the team didn’t discover any significant flaws in LooksRare during the audit, we’d like to take this opportunity to remind the community to remain vigilant.
Keep your personal security practices front of mind to minimize your risk of exposure to phishing, social engineering, and other outside threats, even when interacting with audited smart contracts and platforms. Never share your seed phrase, and use a hardware wallet; bookmark the sites you interact with, and use your bookmarks to access them instead of clicking links.
About LooksRare
LooksRare is the community-first NFT marketplace that actively rewards traders, collectors, and creators for participating. We have a vision for a better world for our community — in fact, it’s our motto: By NFT people, for NFT people. From utilizing some of the world’s most powerful search infra, down to implementing on-chain standards like EIP-712 and ERC-2981, LooksRare’s technical architecture (contracts, database, API, front end, search) has been designed from the floor up for scalability, speed, and security using the latest and greatest tech.
About Trail of Bits
Since 2012, Trail of Bits has helped secure some of the world's most targeted organizations and devices. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.
We help our clientele — ranging from Facebook to DARPA — lead their industries. Their dedicated security teams come to us for our foundational tools and deep expertise in reverse engineering, cryptography, virtualization, malware, and software exploits. According to their needs, we may audit their products or networks, consult on modifications necessary for a secure deployment, or develop the features that close their security gaps.
After solving the problem at hand, we continue to refine our work in service to the deeper issues. The knowledge we gain from each engagement and research project further hones our tools and processes, and extends our software engineers' abilities. We believe the most meaningful security gains hide at the intersection of human intellect and computational power.
