Halborn Security Audit Complete: EXR’s Moonbeam Smart Contracts Successfully Audited for Upcoming Near Gasless Mint Experience

Exiled Racers is proud to announce that Halborn has successfully audited its smart contracts in preparation for the EXR mint on the 31st May.

In the lead up to EXR’s main mint at the end of the month — we are proud to announce that Halborn Security has completed a thorough audit of the Exiled Racers smart contracts.

Despite the complexity of the multi-contract architecture, there were only a few issues identified that were relatively straightforward to remediate. After providing the EXR team with an initial internal review, two major areas of concern were identified. These issues were classified as “critical” as their impact, were they to be exploited, would have had significant consequences for the ecosystem. Thankfully, Halborn’s team was able to identify the issues early and thus provide the EXR team with adequate time to patch the vulnerabilities before any deployment to the Moonbeam network.

Due to the fact that Chainlink’s VRF and the recently released API3 had not yet been deployed to Moonbeam, a novel approach was taken for creating a pseudorandom number generator (PNRG) within the contracts. This approach employs a modified version of the Fisher-Yates shuffle algorithm to issue random token IDs at the time of mint. This is a common pattern used in smart contracts that make use of a PRNG, however Halborn identified a sophisticated exploit that many of these implementations are vulnerable to.

The exploit involves simulating the PRNG and uses Solidity’s CREATE2 method to deploy an attacker contract that’s capable of exploiting the system. This exploit is easily circumvented by ensuring that the account calling the function in question is not a contract, as well as including input data into the keccak hashing algorithm that cannot be manipulated by miners.

The second issue centered around potential front-running and replay attacks. The attack vector was the result of the game’s need to issue random items as rewards. By providing generic signed coupons to users, the goal was to allow the issuance of rewards on-the-fly, for example at the end of a race, without the need to know the details of the winners account. However, this approach was vulnerable to front-running, as any malicious actor observing the mempool would be able to front-run a transaction and “steal” the anonymous coupon.

This led to an update in the contract’s logic that requires the awardee to be identified by the minting coupon they’re provided with. As a final step, the contract address and chain ID were added to the coupon to prevent reply attacks — whereby an attacker may have been able to retrieve transaction data from a testnet and reuse it on the mainnet.

With Halborn’s assistance, all known potential vulnerabilities were identified and patched.

We look forward to seeing you for the EXR at the end of the month!

The EXR team