Fantasy trading card games and blockchain technology come together in Dark Mythos to deliver a unique gaming experience through NFT. Dark Mythos appeals to trading card enthusiasts and fantasy fans by adding a rich story to the game. Dark Mythos has an immersive gaming experience, including well-crafted stories from renowned fantasy writers and engaging world-building. Integrating these stories with the NFT cards allows players to unlock new chapters and story arcs as their collections grow, offering a dynamic and evolving gameplay experience. AuditOne's audit of Dark Mythos emphasized the seamless integration of NFT components within the game's ecosystem, ensuring players a secure and engaging experience.

Challenges Faced

Like many Web3 games, Dark Mythos relies on smart contracts to power its NFT-based ecosystem. Smart contracts ensure cards can be minted, transferred, and traded seamlessly. However, even the most exciting projects are not immune to risks—loopholes can be exploited, and millions can be lost.

During our audit, AuditOne’s experts uncovered several critical vulnerabilities, including:

• The data parameter in batchTransferFrom is repeated unnecessarily for all transfers.
• Lack of Checks-Effects-Interactions (CEI) pattern may lead to reentrancy.
• _royaltyFraction can be set to 100%, which may be problematic.
• The recipient can block minting by reverting to onERC721Received.
• Use != 0 instead of > 0 for unsigned integer comparison.

Why It Matters: Understanding the Threat

Reentrancy attacks remain one of the most dangerous smart contract exploits in Web3. They take advantage of a loophole in a victim contract, repeatedly withdrawing from it until the victim contract becomes bankrupt. This vulnerability occurs when the victim contract fails to promptly verify the exploiter's new balance. In exchange, this can be abused to drain its liquidity, eroding users' confidence in said exchange.

Reentrance remains a prevalent smart contract vulnerability and should always be fixed before a smart contract goes live; recent examples of Reentrance attacks are: 

1. Curve Finance, a vulnerability in the Vyper compiler, led to a reentrancy attack on Curve Finance, resulting in a loss of approximately $70 million.
2. In 2023, KyberSwap experienced a reentrancy attack, leading to a loss of $47 million.
3. Due to a reentrancy attack, DeltaPrime's leveraged farming platform was exploited by hackers for approximately $4.8 million across the Arbitrum and Avalanche networks.

In Dark Mythos, the risk was clear: the minting function relied on unsafe external interactions. Without fixes, an attacker could have manipulated the flow of the contract, putting assets—and the project’s future—at stake.

Our Solution

AuditOne worked closely with the Dark Mythos team to address these vulnerabilities, particularly the reentrancy risk.

We recommended adopting the Checks-Effects-Interactions (CEI) pattern, an industry-standard approach that ensures:

1. All checks (verifications) happen first.
2. Contract state updates follow immediately after.
3. External interactions occur last, reducing the risk of exploitation.

By implementing this fix and addressing other issues, Dark Mythos now has rock-solid security, ensuring that players can focus on what truly matters—enjoying the game.

Audit Results and Impact

With AuditOne’s thorough audit and solutions:

• Dark Mythos smart contracts are now secure and reliable.
• The player experience remains uninterrupted and trustworthy.
• The team has ensured their growing community of fans can trade, mint, and play without worry.

Let’s dive into technical details:

In the  ERC721DarkMythosCalyndor.sol, contract, the mint() function is vulnerable to reentrance attacks due to its deviation from the Checks- Effects-Interactions pattern. The vulnerability arises because the status of totalMintedTokens and edition.mintedSupply are updated after the _safemint() function call, which gives flow control to the receiving contract by relying on the onERC721Received() function. This can effectively transfer control to an external contract before updating the state. Such a transfer of control can be exploited by malicious contracts to perform reentrant calls, potentially leading to unintended behaviors or security breaches.

AuditOne’s Recommendation:

Consider using the Checks-Effects-Interactions pattern in the mint() function, which involves performing all necessary checks first, then updating the contract's state, and finally interacting with external contracts by updating totalMintedTokens and edition.mintedSupply before calling _safemint(), you ensure that the contract's state reflects the minting operation before any external interactions. This approach minimizes the risk of reentrancy attacks by limiting the opportunity for external contracts to reenter the function during execution.

In a space where billions are at stake, and trust is everything, AuditOne gives projects like Dark Mythos the confidence to build, grow, and thrive.

Your Project Deserves the Same Protection

Security doesn’t just protect code; it protects your players, reputation, and future. Whether you’re building a game, a DEX, or a DeFi app, AuditOne is here to ensure your smart contracts are rock-solid.

Let’s secure your Web3 project—so you can focus on creating the magic.

‍