Original title: "Analyzing the Viral Spread of xPetin the Web3 Space: A Security Perspective on the Recent Buzz"
Original author: Beosin
Original translation: Lucy, BlockBeats
Editor's note:
Recently, the rise of xPET token XPET has aroused heated discussions in the community. This is not only due to the good news of the token landing on CEX and the promotion of cooperation with OKX, but also affected by the content of the official updated white paper. On December 28, XPET ushered in a new high. According to Bitget market data, XPET broke through $3, an increase of more than 200% from the opening price.
Beosin is a blockchain security company that has audited more than 3,000 smart contract projects and helped blockchain platforms such as Ethereum, EVM-compatible chains, Solana, Near, EOS, and aelf to discover and fix multiple medium- and high-risk security vulnerabilities. In this article, Beosin deeply analyzes the viral spread of xPET in the Web3 field, and examines the core logic contracts, token contracts and potential risks of the xPET project from a security perspective. BlockBeats translates the original text as follows:
Recently, a blockchain-based game called xPET has quickly become popular on the Twitter platform. Some people describe this project as a "Web3 virus" that has rapidly increased the number of followers and users. xPET is an early project that combines game and social elements and has attracted huge attention within just two weeks of its launch. Due to the recovery of the GameFi industry and the unique mechanism of xPET, the project has recently become a hot topic, attracting deposits of 2,785 ETH (about $6.5 million).
However, the security issues associated with it cannot be ignored. In order to help users understand the potential risks, the Beosin security team will conduct a detailed analysis of the design mechanism and contract code of xPET to reveal the security vulnerabilities therein.
xPET is a pet game built on Arbitrum that combines elements of Tipcoin and the previously popular Fren Pet on the Base chain. Gameplay involves feeding pets to upgrade and profit. xPET is unique in that it takes the form of a browser plugin, requires login via Twitter authentication, and enables full integration with Twitter in subsequent game bonus tasks.
https://www.xPET.tech/
Currently, the game content revolves around feeding pets, upgrading factories, and completing Twitter tasks to obtain treasure chests. Players must upgrade their pets to level 7 to produce Berries, which can be converted to BPET for profit. Upgrading pets requires paying one of xPET’s two tokens, xPET or BPET. Users initially need to use ETH as collateral to borrow xPET (exchangeable with BPET at 1:1), or purchase xPET from the xPET-ETH trading pool. The game's economic system design is shown in the figure below:
Source: Beosin
The main contract of xPET is an ERC1967 upgradeable contract.
The proxy contract address is: 0x1B0D12879960A768D02bd223ef735D4231a15348,
The logical contract address is: 0xcD4420B70e2669De8dE9d62dd7fEa4D19b320768.
The xPET token contract address is: 0x00cbcf7b3d37844e44b888bc747bdd75fcf4e555,
The $$XPET token contract address is 0x00cbcf7b3d37844e44b888bc747bdd75fcf4e555, and the $$BPET token contract address is: 0x6daf586b7370b14163171544fca24abcc0862ac5.
Through the analysis of Beosin VaaS tools and Beosin security audit experts, potential security risks in xPET related contracts have been identified:
https://vaas.beosin.com/
The main contract is responsible for handling the lending logic of ETH and xPET. However, since the main contract is an upgradeable contract and the project has not disclosed the logic contract in this upgradeable contract, it is impossible to detect potential logic errors or risks in the logic contract.
In terms of the security of upgradeable contracts, Beosin makes the following recommendations:
Initialize contracts and dependencies.Developers may ignore the initialization of contracts and dependencies during deployment, resulting in serious vulnerabilities.
Resolve address storage conflicts.Modifying storage during contract upgrades may lead to conflicts between different versions, causing data errors and financial losses.
Manage permissions.Developers should limit upgrade permissions to prevent attackers from taking control of contract upgrades.
The xPET token contract inherits the ERC20 and AccessControl contracts, and there are potential risks:
Centralization risk,The contract designates the deployer as the administrator role, forming a centralized control point. Attacking the deployer's account poses a significant risk.
Token accessibility,The contract centralizes token flow because all tokens are minted to the contract itself. This design makes token flow centralized.
The withdrawal and conversion functions lack events, and events should be emitted when these functions are called for external monitoring and tracking.
Similar to the xPET Token Contract, the BPET Token Contract has a single point of risk that cannot be ignored:
Centralization Risk, the contract designates the deployer as the administrator and minter, concentrating power. Attacking the deployer's address may lead to serious security risks.
The conversion function lacks restrictions on the number of coins that can be minted. If the deployer decides to over-mint tokens in order to seek profits, it may cause the token price to fall sharply.
Role Management, the contract lacks the function of revoking or transferring roles, and there may be potential security issues if ownership transfer or removal of minters is required.
In addition to contractual risks, xPET also faces issues related to spam on Twitter. Since xPET requires users to post comments with the word "xPET" on Twitter to earn game rewards, a large number of irrelevant posts containing "xPET" have appeared, causing dissatisfaction among many Twitter users.
Twitter's developer agreement prohibits the use of developer products related to Twitter to generate spam. If Twitter disables xPET, its gameplay that relies on Twitter integration will stop completely.
https://developer.twitter.com/en/developer-terms/policy
The core logic contract of the xPET project is still closed source, and both token contracts have obvious centralization risks. Users should be aware of the risks, and security can be improved through some contract code improvements. Prior to this, the market has witnessed multiple trends in GameFi and SocialFi. Users are advised to manage their funds wisely and participate in a rational manner after fully understanding the risks of the project.
「Original link」
欢迎加入律动 BlockBeats 官方社群:
Telegram 订阅群:https://t.me/theblockbeats
Telegram 交流群:https://t.me/BlockBeats_App
Twitter 官方账号:https://twitter.com/BlockBeatsAsia