Flower Fam NFT Audit Report

Table Of Content



BlockApex (Auditor) was contracted by Flower Fam (Client) for the purpose of conducting a Smart Contract Audit/ Code Review. This document presents the findings of our analysis which started on 19 May 2022. 

Name: Flower Fam
Auditor: Kaif Ahmed | Muhammad Jarir Uddin
Platform: Ethereum/Solidity
Type of review: Manual Code Review | Automated Code Review
Methods: Architecture Review, Functional Testing, Computer-Aided Verification, Manual Review
Git repository/SHA256 Checksum: 3c6fec450c5aa25e6dec9a0378d99dcbf44b4f113d096e581e01d86720b9cd1d
White paper/ Documentation: https://docs.flowerfam.earth/welcome.
Document log:
Initial Audit: 19th May 2022
Final Audit: 23rd May 2022 


The Git-repository shared was checked for common code violations along with vulnerability-specific probing to detect major issues/vulnerabilities. Some specific checks are as follows:

Code reviewFunctional review
Reentrancy Unchecked external callBusiness Logics Review
Ownership TakeoverERC20 API violationFunctionality Checks
Timestamp DependenceUnchecked mathAccess Control & Authorization
Gas Limit and LoopsUnsafe type inferenceEscrow manipulation
DoS with (Unexpected) ThrowImplicit visibility levelToken Supply manipulation
DoS with Block Gas LimitDeployment ConsistencyAsset’s integrity
Transaction-Ordering DependenceRepository ConsistencyUser Balances manipulation
Style guide violationData ConsistencyKill-Switch Mechanism
Costly LoopOperation Trails & Event Generation

Project Overview

FlowerFam is an NFT-based project, after you mint your NFT you can “harvest” them on weekly basis to get 60% royalties. It's quite simple: every flower has a 10% chance to win. The rarer the species of a flower. Besides the weekly harvest, flowers can make $honeycoin through a lot of other fun activities in the Oasis. You can earn $honeycoin by staking your Flower, catching bees, and buying seeds that grow into beautiful new Flowers.

System Architecture

FlowerFam is a single NFT minter contract which is composed of three other contracts, FloweFam.sol , FlowerFamMintPass.sol and FlowerFamEcosystem.sol. This contract is used to make users whitelist so that only whitelisted addresses would be able to mint NFTs.

Methodology & Scope

The codebase was audited in an iterative process. Fixes were applied on the way and updated contracts were examined for more bugs. We used a combination of static analysis tool (slither) and testing framework (Foundry) which indicated some of the critical bugs. We also did manual reviews of the code to find logical bugs, code optimizations, solidity design patterns, code style and the bugs/ issues detected by automated tools.


Executive Summary

The analysis indicates that some of the functionalities in the contracts audited are working properly.

Our team performed a technique called “Filtered Audit”, where the contract was separately audited by two individuals. After their thorough and rigorous process of manual testing, an automated review was carried out using Mythril, MythX, Surya and Slither. All the flags raised were manually reviewed and re-tested. 

Our team found:

# of issues Severity of the risk
0Critical Risk issue(s)
0High-Risk issue(s)
1Medium Risk issue(s)
4Low-Risk issue(s)
4Informatory issue(s)


1.Centralization riskMediumFixed
2.setMerkleRootOfRound() can overwrite mappingLowAcknowledged
3.Configuration inconsistencyLowAcknowledged
4.Withdraw function argument validation checkLowFixed
5.Recommendation for missing function in the contract file as received by the clientLowAcknowledged
6.Natspec missingInformatoryAcknowledged
7. Order of FunctionsInformatoryFixed
8.Unchecked setter valuesInformatoryAcknowledged
9.Interface Instead of ContractInformatoryFixed

Medium-risk issues

1. Centralization risk.


Heavy centralization risk using onlyowner check on withdraw() function, assuming owner address is never compromised else it might lead to lost funds. 

function withdraw(address _to) external onlyOwner {
        uint256 balance = address(this).balance;
        require(balance > 0, "Balance zero");



Low-risk issues

2. setMerkleRootOfRound() can overwrite mapping


The current implementation of the above function can override the mapping roundToMerkleRoot which can lead to loss of round minting for any of the four rounds.




Place a check to ensure the root can only be set if the round has completed the  preset timeline.

3. Configuration inconsistency:


Calling the functions setMintLimitOfRound or setMaxSupplyOfRound during a round can lead to inconsistencies of assumed configurations of the minting system.




Owner can change configurations during the minting rounds and can lead to inconsistent management of user NFTs.

4. Withdraw function argument validation check


Withdraw() function is only callable by owner but still there is a chance of mistake. Function only checks for the amount it should also check for the value owner sends from the arguments.




There should be a zero address check inside the function.

5. Recommendation for missing function in the contract file as received by the client.


The contract IFlowerFamMintPass contains a function named validPasssesLeft which is incompatible with the original files received later (out of scope) containing a similar function named as userPassesLeft().




Ensure the functions are named properly and following the implemented interface architecture of the file system.

Informatory issues

6. No NatSpec Documentation


NatSpec documentation is an essential part of smart contract readability; it is therefore advised that the contract and following files should contain proper explanatory commenting;

  • FlowerFamMinter.sol



7. Order of Functions


Move receive() function right below the constructor. Move most useable/callable (Public/External) functions right below the constructor and internal functions right below the public functions as suggested in the solidity docs:

“Ordering helps readers identify which functions they can call and to find the constructor and fallback definitions easier”.

Functions should be grouped according to their visibility and ordered:

receive function (if exists)
fallback function (if exists)



8. Unchecked setter values


All setter values are unchecked and can lead to redundant calling setter functions. There should be a zero value check in following functions:




9. Interface Instead of Contract


Contracts named IFlowerFam and IFlowerFamMintPass can be changed for interface type.




Ensure that the contracts are retyped as interfaces and reflect all consequential changes e.g. 

  • In IFlowerFamMintPass contract, the function balanceOf() be marked with external accessibility
  • In the IFlowerFam contract, the function named ownerOf() can be marked as external accessible.


The smart contracts provided by the client for audit purposes have been thoroughly analyzed in compliance with the global best practices till date w.r.t cybersecurity vulnerabilities and issues in smart contract code, the details of which are enclosed in this report. 

This report is not an endorsement or indictment of the project or team, and they do not in any way guarantee the security of the particular object in context. This report is not considered, and should not be interpreted as an influence, on the potential economics of the token, its sale or any other aspect of the project. 

Crypto assets/tokens are the results of the emerging blockchain technology in the domain of decentralized finance and they carry with them high levels of technical risk and uncertainty. No report provides any warranty or representation to any third-Party in any respect, including regarding the bug-free nature of code, the business model or proprietors of any such business model, and the legal compliance of any such business. No third party should rely on the reports in any way, including for the purpose of making any decisions to buy or sell any token, product, service or other asset. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project.

Smart contracts are deployed and executed on a blockchain. The platform, its programming language, and other software related to the smart contract can have its vulnerabilities that can lead to hacks. The scope of our review is limited to a review of the Solidity code and only the Solidity code we note as being within the scope of our review within this report. The Solidity language itself remains under development and is subject to unknown risks and flaws. The review does not extend to the compiler layer, or any other areas beyond Solidity that could present security risks.

This audit cannot be considered as a sufficient assessment regarding the utility and safety of the code, bug-free status or any other statements of the contract. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only - we recommend proceeding with several independent audits and a public bug bounty program to ensure security of smart contracts.

More Audits

Web2 Security vs Web3 Security: An Innovative Adaptation?

Web 3.0 is a semantic web where it promises to establish information in a better-existing way than any current search engine can ever attain. Web 3.0 promotes four concepts which mainly are authenticity, i.e, every piece of information existing on the internet is a fact or derived from a fact. Integrity, willingness to abide by moral principles, and ethical values. Transparency, the data present on the internet is accessible for every user to witness. Lastly, Confidentiality which is achieved by Blockchain technology, where every user’s identity is anonymous, making it secure. 

The Big Fuzz Theory: Fuzzing Primer

Fuzz testing, or fuzzing, is a technique used to improve the security of software, including smart contracts in Solidity. It involves supplying random or unexpected data as inputs to a system in an attempt to break it and uncover vulnerabilities that manual testing might miss. Fuzzers generate a set of inputs for testing scenarios that may have been missed during unit testing, helping to identify bugs and potential security issues.

Transparency Series Part One: Diving Into Composable Smart Contracts

omposable smart contracts bring about certain problems in particular during the auditing phase. One of these is the hindering of end-to-end (E2E) testing. Often it is the case that for calling even just one function of a composable smart contract, multiple other contracts are required to be deployed.

Dforce Network - February 13, 2023

The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

Lightlink Bridge: BlockApex WhiteBox Code Review Report

the source code review of Lightlink Bridge Validator and Keeper. The purpose of the assessment was to perform the whitebox testing of the Bridge’s validator and Keeper before going into production and identify potential threats and vulnerabilities.

Consumer Privacy & Data Breach Part I - Is It a Global Issue?

Data breaches and consumer privacy are one of the most alarming security issues in IT space. About 45% of the world’s population uses social media which makes approximately 3.48 billion people to be interacting with any kind of social media network. These tremendous amounts of connections can lead to various kinds of vulnerabilities if the data is gone into the wrong hands creating pretty damaging consequences.

Sonar Bridge V2 Initial Audit

BlockApex (Auditor) was contracted by SONAR (Client) for the purpose of conducting a Smart Contract Audit/Code Review for Sonar Bridge V2. This document presents the findings of our analysis which took place on 28th September 2021.

Revisiting Ethereum Classic in Light of the London Hard Fork

The successful upgrade of the London Hard Fork is a big difference from the fork leading to Ethereum Classic that took place back in 2016. However, despite their divergence, both are milestones in the Ethereum world- guaranteed to have lasting impacts on the blockchain as we know it. Read more to find out the circumstances surrounding each hard fork and the role they may play in shaping Ethereum's future.

SEC Regulations: Sabotage Under The Guise Of Protection?

The SEC describes its motives to be the safeguarding of investors, while members of the blockchain community see their actions as sabotage. Read more to find out the history of this controversy and its implications on the general definition of security.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023