Shi-Universe, a gaming NFT platform on IOTA, would have unknowingly lost revenue due to critical flaws in its smart contracts. The biggest issue? NFT royalty payments were getting lost instead of being collected.

Without an audit, these costly mistakes could have gone unnoticed, leading to lost earnings, failed transactions, and weakened trust among users and investors.

Key Issue Identified: Funds from NFT Sales Was Disappearing

The ShiWeas.sol contract was susceptible to loss of royalty payment due to a lack of support for native tokens and the absence of withdrawal functionality. ShiWeas.sol sets the address(this) as a royalty recipient. The contract did not implement the receive() function, preventing it from accepting payments. As a result, even if received, royalty payments won't be able to be withdrawn by the contract owner.

Shi-Universe’s smart contract was supposed to collect a percentage of every NFT sale as a royalty payment—a standard way for creators to earn revenue whenever their NFTs are resold. However, due to missing functions in the contract, these payments could not be received or withdrawn, leading to lost income.

What Went Wrong?

1. When an NFT was sold, the contract was supposed to receive a 5% royalty.
2. However, the contract didn’t have the ability to accept payments in ETH (the currency used for sales on major marketplaces).
3. As a result, whenever someone bought an NFT, the royalty payment failed and disappeared instead of going to Shi-Universe.
4. Even if the contract had somehow received funds, there was no way to withdraw them, meaning any collected money would be stuck inside.

Example of the Problem in Action

• Bob lists an NFT for sale at 1 ETH on a marketplace that automatically sends 5% (0.05 ETH) in royalties to the original creator.
• When the NFT sells, the marketplace attempts to send 0.05 ETH to Shi-Universe’s contract.
• But because the contract wasn’t designed to accept ETH, the transaction fails, and the royalty money is lost.
• Meanwhile, another project, ValidsRaider, had a properly set up contract that accepted and withdrew royalties smoothly, ensuring they never lost money.

The Business Impact

For Shi-Universe, this meant:
‍
❌ Missed revenue from every NFT resale.
❌ Financial losses due to a faulty smart contract.
❌ Limited marketplace compatibility, reducing earnings potential.

Fixing Revenue Leaks & Strengthening Security

Implemented receive() and payout() functions to recover lost NFT royalties. 

The receive() function allows the ShiWeas.sol contract to accept ETH payments and payout() function to allow the contract owner to retrieve royalty payments. 

The updated ShiWeas.sol contract now includes receive() and payout() functions, aligning with best practices to ensure proper royalty handling and mitigating future losses from unsupported native tokens.

Other Critical Risks Found by AuditOne

1. Silent Failure in _removeFromRNG() Function

‍‍Silent Function Failures – Hidden errors can cause unpredictable contract behavior, making it difficult to detect and fix operational issues.

The _removeFromRNG() function does not revert if the ID is not found. The function fails silently, leading to potential unexpected behaviors or unsafe assumptions if the requested ID does not exist.

2. Minting NFTs to Contract Address in ownerMint() Function

NFT Minting Issues – If minting fails, NFTs may not be properly assigned, leading to user complaints, transaction failures, and lost assets.

Minting NFTs to the contract's own address fails in the ownerMint() functions. This results in failed minting attempts and potential disruptions in expected contract operations.

3. Empty _tokenIds Not Checked

Unchecked Token ID List – Failing to validate token lists can create logical inconsistencies and unexpected execution failures.

The _tokenIds array is not validated for emptiness before attempting removal. Execution continues even if the specified token ID is not removed, as the array is empty, potentially causing logical inconsistencies.

4. Lack of Compatibility with Multi-Signature Wallets

‍Lack of Compatibility with Multi-Signature Wallets – Without multi-sig support, organizations and security-conscious users are unable to securely manage funds and contract interactions.

The contract lacks support for multi-signature or smart contract-based wallets. This limitation reduces the accessibility and usability of the contract for decentralized organizations or users relying on advanced wallet features.

5. Centralization Risks

Centralization Risks – Centralized control weakens trust, increases the risk of insider threats, and can lead to security vulnerabilities.

Multiple centralization points exist within the system. Centralization reduces project reputation and customer trust while increasing the potential impact of malicious actions by privileged users.

Additional fixes implemented

✅ Fixed minting issues to ensure smooth NFT distribution

✅ Strengthened error handling to eliminate silent failures

✅ Enhanced multi-signature support for better security and access control

✅ Reduced centralization risks to improve transparency and trust

The Results

With these fixes, Shi Universe now ensures:

• Every NFT royalty is properly collected and accessible.
• A secure smart contract free from silent failures.
• A fully operational, marketplace-compatible system ready for growth.

Smart contract issues can cost you money, users, and credibility. Don’t wait for a security breach—AuditOne helps Web3 projects fix hidden flaws before they cause damage.

‍

Book your Free Security Consultation:

Google Calandar: https://calendar.app.google/Ai15eyQhiV5c1pBXA
Telegram: https://t.me/m_ndr