Aivatic NFT Contract Security Report

Contract: AivaticNFT Address: 0x13443C3B565d9906BeBACe4f6aeb963515c92D91 Date: March 03, 2025Security Findings

  1. Centralized Control by Owner

    • Severity: Low

    • Description: Functions like mintNFT, setRewardRate, setMinterContract, setRewardToken, and withdrawRewards are restricted to the owner via onlyOwner.

    • Risk: Centralization is intentional and typical for administrative control in NFT contracts. No immediate security threat exists if the owner is trusted (e.g., a team multi-sig).

  2. Reward Token Dependency

    • Severity: Low

    • Description: The contract relies on an external IERC20 rewardToken for staking rewards, with no validation of its behavior beyond zero-address checks.

    • Risk: If the token contract is malicious or fails (e.g., reverts on transfer), claimReward or withdrawRewards could fail. This is an external dependency risk, not a flaw in the contract itself.

  3. Unbounded Array Iteration in unstake

    • Severity: Low

    • Description: The unstake function iterates over userStakes to remove a token ID, with no upper bound check.

    • Risk: Gas costs increase linearly with the number of staked NFTs per user, but this is unlikely to hit block gas limits in practical scenarios. No security exploit exists.

  4. Lack of Pausing Mechanism

    • Severity: Low

    • Description: No emergency pause functionality is included to halt staking or reward claims in case of issues.

    • Risk: Minor operational limitation; does not introduce a direct vulnerability since core functions remain secure.

  5. General Security

    • Severity: None

    • Description: The contract inherits from OpenZeppelin’s ERC-721 and Ownable, uses Solidity ^0.8.0 for arithmetic safety, and includes proper access controls (onlyOwner, onlyMinter). No critical vulnerabilities (e.g., reentrancy, unauthorized access) are present.

Summary of Danger Levels

  • High Severity: None

  • Medium Severity: None

  • Low Severity: 4 issues (Centralized Control, Reward Token Dependency, Unbounded Array Iteration, Lack of Pausing)

ConclusionThe StakableNFT contract is secure with no high or medium-severity risks identified. All noted concerns are classified as low severity, reflecting design choices or minor operational considerations rather than exploitable flaws. Leveraging OpenZeppelin’s libraries and Solidity’s safety features, the contract is robust for its staking and NFT functionality within the Aivatic ecosystem.Status: Secure with Minimal Risks

Previoustoken Smart Contract audit report

Last updated