General Discussion

The Blockimmo AG smart contract platform implements a broad range of functionality through multiple interacting smart contracts. The smart contracts implement custom logic to support token creation, token sales, shareholder voting mechanisms, and a blockchain-to-real world linked property registry. The smart contract is based on nearly 700 lines of custom code including comments and incorporates code from the open-source OpenZeppelin project. This section discusses the general context around the specific findings elaborated in subsequent sections with an aim to better understand the current findings and prevent future instances.

New Alchemy identified one moderate and one minor vulnerability. The vulnerabilities could be classified as not following best practices and Blockimmo AG should implement fixes to strengthen the smart contract security posture.

The contracts have a fee feature which allows Blockimmo AG to collect a fee for running the token and real estate sale infrastructure. The fee mechanism utilizes integer division which always rounds down in the Solidity language. Due to the rounding down characteristic, Blockimmo AG will not be able to collect the full fee amount when calculating fee’s from token and property sales.

The minor security issue deals with missing clarity regarding specific contract constants.

The code implements and uses the OpenZeppelin SafeMath contract, which defines functions for safe math operations that will throw errors in the cases of integer overflow or underflows. While this functionality was used in multiple places, the auditors could not identify a valid attack and exploit scenario.

Additionally, the contracts make use of specialized functionality to open voting for specific real estate property decisions among the shareholders, which are defined as owners of the token associated with the property.

The current reuse of standard open-source components allows the platform to greatly reduce risk through leveraging well-reviewed, well-tested and usage-proven functionality.

New Alchemy strongly recommends staying current on compilers, (multiple) linters, formal methods and test coverage frameworks. The development team should integrate these procedures and tools into normal workflow. To maximize the leverage these tools provide, utilize their most conservative settings and aim to eliminate as many errors and warnings as possible early in the development process.

Contract / Whitepaper Token Coherence

This section examines and describes the number of issued tokens for each individual property sale. Due to Blockimmo AG planning to use the same token sale contracts for their own ICO these token amounts and distributions hold true for the Blockimmo AG ICO as well.

The whitepaper did not go into detail about the specific token amounts as such the values in this discussion were pulled directly from the smart contract source.

The TokenizedProperty.sol creates and sets the number of tokens. Line 55 and 56 set the decimal count and number of tokens:

uint8 public constant decimals = 18;

uint256 public constant NUM_TOKENS = 1000000;

The TokenizedProperty.sol constructor starting on line 76 sets the total supply and adds the balance to the contract creator. This amount will be distributed to the investors during the crowdsale period.

totalSupply_ = NUM_TOKENS * (uint256(10) ** decimals);

balances[msg.sender] = totalSupply_;

The DividendDistributingToken.sol smart contract is used to deposit and collect tokens. The code on line 26 sets the POINTS_PER_WEI . This variable is used to divide the tokens into smaller amounts.

uint256 public constant POINTS_PER_WEI = uint256(10) ** 32;

The POINTS_PER_WEI variable can be observed being used along with the totalSupply variable in the deposit() function on line 52.

function deposit(uint256 value) internal {

pointsPerToken = pointsPerToken.add(value.mul(POINTS_PER_WEI) / totalSupply_);

emit DividendsDeposited(msg.sender, value);

}

New Alchemy derived the amounts of the tokens directly from the smart contracts. We recommend amending the whitepaper to directly list the specific figures for clarity among investors. Parties interested in purchasing tokens should be able to clearly read the figures rather than having to locate them in the source code.