AI Arena - 0xblack_bird's results

Here is the corrected version of the Analysis Report with spelling mistakes corrected and formatting improved:

Analysis Report

Index of table

Overview

AI Arena is a PvP platform fighting game where the fighters are AIs that were trained by humans. It is a platform fighting game, where the objective is to knock your opponent off of a platform. The game works like this: you train your NFT character through Imitation Learning, where the AI learns to play the game by copying your actions. When you feel your character is ready to fight, you submit the NFT into the arena to compete in Ranked Battle. Your NFT then fights autonomously against opponents near its skill level. The game allows you to create your own personalized fighter AI, with custom attributes with ownership control and attribute manipulation functionalities, and also allows you to stake on fighter NFTs for rewards.

Key Contracts

The key contracts of Ai arena protocol for this Audit are:

These contracts are central to the functionality, security, and main logic of the Ai arena protocol. Focusing on them first will provide a solid foundation for understanding the protocol's operation and how it manages user assets and stability.

• FighterFarm.sol: The FighterFarm contract manages the creation, ownership, and redemption of AI Arena Fighter NFTs, including the ability to mint new NFTs from a merging pool or through the redemption of mint passes.

• RankedBattle.sol: RankedBattle contract provides functionality for staking NRN tokens on fighters, tracking battle records, calculating and distributing rewards based on battle outcomes and staked amounts, and allowing claiming of accumulated rewards.

• Neuron.sol: The Neuron token is used for various functions within the platform, including staking, governance, and rewards.

Scope

• AiArenaHelper.sol: this contract serves as a backbone for managing and generating diverse fighter attributes within the AI Arena game ecosystem. This contract provides functions to create fighter attributes based on given parameters.

• FighterOps.sol: This library containing metadata about Fighter struct and contains methods for fetching information about a fighter.

• GameItems.sol: This contract represents a collection of game items used in AI Arena. These items provide the game more functionality and interactivity.

• MergingPool.sol: This contract allows users to potentially earn a new fighter NFT. Users can win an NFT by staking in this merging pool contract.

• StakeAtRisk.sol: The StakeAtRisk contract allows the RankedBattle contract to manage the staking of NRN tokens at risk during battles. This contract plays a crucial role in handling the risk and rewards associated with NRNs within the game ecosystem.

• VoltageManager.sol: This contract allows the management of voltage for game items and provides functions for using and replenishing voltage.

Approach Taken in Evaluating The Open Dollar Protocol

Accordingly, I analyzed and audited the subject in the following steps:

1. Core Protocol Contract Overview:

   I focused on thoroughly understanding the codebase and providing recommendations to improve its functionality. The main goal was to take a close look at the important contracts and how they work together in the AI arena protocol.

   Main Contracts I Looked At

           AiArenaHelper.sol
           FighterFarm.sol
           GameItems.sol
           MergingPool.sol
           Neuron.sol
           RankedBattle.sol
           StakeAtRisk.sol
           VoltageManager.sol
   

   I started my analysis by examining the FighterFarm.sol contract. Audit the FighterFarm contract first as it has a central role in enabling the creation, ownership, and redemption of Ai arena Fighter NFTs from minting from a merging pool or redeeming from mint passes. The contract essentially helps users to claim a predetermined number of fighters & Burns multiple mint passes in exchange for fighter NFTs. The contract allows updating the staking status of the fighter associated with the given token ID as well as, updating the model for the specified token ID. Also, another main functionality of the contract includes creating the base attributes for the fighter with user-specified DNA and fighter type along with Creating a new fighter and minting an NFT to the specified address.

   Then, I turned our attention to the RankedBattle.sol contract second because it manages functionality for staking NRN tokens on fighters, tracking battle records, calculating and distributing rewards based on battle outcomes. The reliability of the workflow of this contract is crucial for accurate protocol operation.

   Then I looked at GameItems.sol because it closely goes alongside both the contracts I looked at earlier. contract designed for managing game items in the AI Arena game. The contract provides flexibility for game item management, including finite supply, transferability, and daily allowances.

   Then audit MergingPool, which is used to earn a new fighter NFT by points accumulated by their fighters. Neuron contract is an ERC20 token contract representing Neuron (NRN) tokens. The Neuron token is used for AI Arena's in-game economy. Moving on to AiArenaHelper which generates and manages an AI Arena fighter's physical attribute, also adding and deleting probabilities for a given generation.

   And StakeAtRisk contract because it deals with NRNs that are at risk of being lost during a round of competition. Vulnerabilities in this contract could have significant financial implications and then VoltageManager contract, which contains core actions related to managing the voltage system for AI Arena. It's important to ensure the security of these actions.

2. Documentation Review:

   Then went to Review This Docs for a more detailed and technical explanation of Open Dollar.

3. Manual Code Review: In this phase, I initially conducted a line-by-line analysis, following that, I engaged in a comparison mode.

   • Line by Line Analysis: Pay close attention to the contract's intended functionality and compare it with its actual behavior on a line-by-line basis.

   • Comparison Mode: Compare the implementation of each function with established standards or existing implementations, focusing on the function names to identify any deviations.

Architecture Description and Diagram

Architecture of the key contracts that are part of the Ai Arena protocol:

This diagram illustrates the interaction among the key components of the Ai Arena protocol.

Architecture Feedback

Comments and Documentation: While the codebase contains comments, improving the quality of comments and documentation can enhance code readability. Consider using more explanatory comments to clarify the purpose and functionality of each section of the code. This will make it easier for other developers and auditors to understand and maintain the code.

Decimals Handling: When working with decimals, ensure that all conversions are handled accurately.

Formal Verification: Consider a professional formal verification of the contract to identify and mitigate any security risks.

Overall the codebase quality deserves a high-quality rank.

Codebase Quality

Overall, I consider the quality of the Open Dollar codebase to be excellent. The code appears to be very mature and well-developed. We have noticed the implementation of

various standards adhere to appropriately. Details are explained below:

Systemic & Centralization Risks

The analysis provided highlights several significant systemic and centralization risks present in the Ai arena protocol. These risks encompass concentration risk, third-party dependency risk, Additionally, the absence of fuzzing and invariant tests could also pose risks to the protocol’s security.

Here's an analysis of potential systemic and centralization risks in the provided contracts:

Centralization risks

There are not many centralization points in the system, which is a good sign. The following mentions the only but the most important trust assumption in the codebase:

1. Centralization Risk for trusted owners

Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.

• Found in src/Neuron.sol Line: 11

  contract Neuron is ERC20, AccessControl {

2. M-2: Using ERC721::_mint() can be dangerous

Using ERC721::_mint() can mint ERC721 tokens to addresses that don't support ERC721 tokens. Use _safeMint() instead of _mint() for ERC721.

• Found in src/GameItems.sol Line: 173

              _mint(msg.sender, tokenId, quantity, bytes("random"));

• Found in src/Neuron.sol Line: 74

          _mint(treasuryAddress, INITIAL_TREASURY_MINT);

• Found in src/Neuron.sol Line: 75

          _mint(contributorAddress, INITIAL_CONTRIBUTOR_MINT);

• Found in src/Neuron.sol Line: 158

          _mint(to, amount);

3. No having, fuzzing, and invariant tests could open the door to future vulnerabilities.

Properly managing these risks and implementing best practices in security and decentralization will contribute to the sustainability and long-term success of the Open Dollar protocol.

In general, the AI Arena project exhibits an interesting and well-developed architecture. We believe the team has done a good job regarding the code, but the identified risks need to be addressed, and measures should be implemented to protect the protocol from potential malicious use cases. Additionally, it is recommended to improve the documentation and comments in the code to enhance understanding and collaboration among developers. It is also highly recommended that the team continues to invest in security measures such as mitigation reviews, audits, and bug bounty programs to maintain the security and reliability of the project.

Time spent:

14 hours

Time spent:

14 hours