CertiK Verifies The Sandbox’s SAND and LAND Token Contracts

CertiK | Jan 7, 2020

Article's Poster

The Sandbox is a leading community-driven gaming platform where creators can share and monetize voxel assets and gaming experiences on the blockchain. The team introduces new standards of world-building games, with multitudes of user-created 3D-voxel assets and games available on the blockchain.

Security is paramount on a shared platform, especially one that’s community driven. While building the platform, the Sandbox team entrusted CertiK to review the source code of their SAND, LAND, and LANDSale smart contracts using high-end security methods.

Sandbox’s native token, SAND, is an ERC-20 token that can be used by gamers, developers, and publishers to monetize their creations on the platform. For example, developers can buy LAND with SAND to create their own gaming experience on the platform, which in turn can be monetized. Players can create content—also known as virtual assets—exchange them for SAND, and convert their earnings into USD. In addition, SAND can accrue in value over time and be staked within their game.

But, what is LAND?

LANDs are scarce and unique NFT (non-fungible tokens) that enable owners to create, monetize and play games. Think of LAND as a digital piece of real estate in the Sandbox ecosystem where game developers can host their games on the platform. Specifically, ownership of the token allows users to:

  1. Participate in gameplays in The Sandbox
  2. Host games or experiences on their LAND
  3. Monetize their LAND by hosting gameplay or renting it out
  4. Organize contests and events on their LAND
  5. Participate in The Sandbox metaverse governance

    By bridging the digital gaming environment with the broader blockchain world, Sandbox offers the world’s first decentralized, community-driven, user-generated gaming platform.

Testing Summary

CertiK applied different types of approaches, such as manual review, static analysis, and formal verification, to audit Sandbox’s smart contracts and ensure that they’re free of vulnerabilities, including, but not limited to:

  • Function Default Visibility: Functions are public by default, meaning a malicious user can make unauthorized or unintended state changes if a developer forgot to set visibility.
  • State Variable Default Visibility: Labeling the visibility explicitly makes it easier to catch incorrect assumptions about who can access the variable.
  • Delegatecall to Untrusted Callee: Calling untrusted contracts is very dangerous, so the target and arguments provided must be sanitized.

Formal Verification is CertiK’s proprietary review method that mathematically proves the trustworthiness of code. Historically, Formal Verification has been more common for mission-critical hardware systems, like NASA’s Mars Rover; however, because smart contracts are self-executing and often open-sourced, blockchain software has seen the need for these higher standards of security.

Very few smart contract auditors are capable of performing Formal Verification, but our team of experts, which is led by Computer Science professors of Yale and Columbia, have several decades of experience in this space. And Formal Verification is the only way to objectively show immunity against some of the most critical vulnerabilities.

The auditing process pays special attention to the following considerations:

  • Testing the smart contracts against both common and uncommon attack vectors.
  • Assessing the codebase to ensure compliance with current best practices and industry standards.
  • Ensuring contract logic meets the specifications and intentions of the client.
  • Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders.
  • Thorough line-by-line manual review of the entire codebase by industry experts.

Overall we found Sandbox’s smart contracts to follow good practices. With the final update of source code and delivery of the audit report, we conclude that the contract is structurally sound and not vulnerable to any classically known anti-patterns or security issues.

About CertiK

CertiK leads blockchain security by pioneering the use of cutting-edge Formal Verification technology on smart contracts and blockchains. Unlike traditional security audits, Formal Verification mathematically proves program correctness and hacker-resistance. CertiK was founded by Computer Science professors of Yale University and Columbia University, securing billions in assets, including many of the world’s top projects.

The research efforts of CertiK have received grants from IBM and the Ethereum Foundation, and notable investors include Binance Labs, Bitmain, Lightspeed Venture Partners, Matrix Partners, and NEO Global Capital, among others.

To request an audit or verification of your smart contracts, please email us at audit@certik.io or visit certik.io

--

Follow us on social

Twitter: https://twitter.com/certikorg

Reddit: https://www.reddit.com/r/CertiKOrg/

Telegram: https://t.me/certikorg

LinkedIn: https://www.linkedin.com/company/certik