Over the past few weeks, Quantstamp audited the token sale and dapp contracts for the Ink Protocol, developed by Listia Inc.

The Ink Protocol embodies Listia’s effort to bring their expertise of P2P marketplaces to the blockchain, and specifies an interface and state transition system that marketplaces should adhere to. Through adoption of multiple marketplaces, user reputation can be aggregated and tracked across markets. Significantly, Listia will transition their existing marketplace to use their blockchain-centric protocol after deployment, bringing in millions of users to the protocol immediately.

Our audit was performed in close collaboration with the Listia team and below we highlight some of the findings. It is important to note that any concerns raised during the audit have since been addressed by the team, and their token sale has already completed successfully.

Token Sale Contract Audit Findings

There were a few places where extra require statements and explicit modifiers could make the code safer and more readable. For example, the _max parameter for addContributions() limits the amount a user can contribute to the sale. However, if the _max parameter were set to lower than the global minimum contribution of 0.1 Ether, then the user would never be able to contribute. A require statement was added to ensure that _max is always set to at least the global minimum. As another best-practice, state variables should all have explicit modifiers. This was not the case for “etherContributed” and “xnkPurchased”. We ran automated analysis tools on their contracts, but only found minor warnings due to “call.value()” invocations in onlyOwner functions, which we do not believe are problematic. There were a few path conditionals that are not exercised for their false values in the tests (e.g. the if-conditionals in “updateContributor” and “removeContributor”), but since there are no else-branches this is also minor. The functionality of the standard Pausable contract had been effectively re-implemented in InkPublicPresale.sol. While there does not appear to be any issues concerning these functions, we recommend using the standard implementation from Zeppelin.

Ink Protocol Contract Audit Findings

The Ink Protocol contracts effectively implement a state transition system to facilitate P2P transactions . The focus of our audit was ensuring that the smart contracts adhere to the intended semantics of the state transition system. We found no issues in this regard.

Interestingly, the protocol is designed in a way such that other marketplaces can take advantage of Ink, and user reputation can be aggregated across marketplaces. A new marketplace can utilize Ink Protocol by implementing the Ink interface and its associated components, such as transaction mediators, which settle disputes between buyers and sellers. As such, the success of marketplaces that wish to use the protocol, as well as the safety of the users of a potentially buggy or malicious marketplace, inherently rely upon the implementations of these components. Thus, if the Ink protocol contracts themselves can limit the amount of damage faulty marketplace contracts can cause, this would add confidence to marketplace end users, and further lead to positive adoption of the protocol.

The following was a change adopted after discussing our audit with Listia. When executing a transaction in the Ink Protocol, certain conditions may require calls to an external mediator contract. This contract settles disputes between buyers and sellers, and may additionally take a transaction fee for the mediation work. One concern was whether faulty calls to these external contracts could, in some sense, “lock up” the state transition system, preventing a transaction from ever finishing.

However, since the protocol enforces time-limits on certain states, such as how long a mediator is allowed to resolve a dispute (which involves locking the transaction fee), it was determined that a faulty mediator will not indefinitely lock funds. However, to further mitigate this concern, gas limits were imposed on many external contract calls, allowing the protocol to proceed even in the case of such faults, limiting some effects of faulty marketplaces implementing the Ink Protocol.

Final Thoughts

The Listia team were excellent collaborators throughout the entire audit process. The Quantstamp team thought that Listia wrote quality token sale and protocol smart contracts. Any issues raised by the Quantstamp team were quickly resolved by Listia. Quantstamp looks forward to collaborating with other teams in the future to enhance the security standards of their smart contracts.