Team and KYC Verification
The team has securely submitted their personal information to SolidProof.io for verification.
In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Security Assessments
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract is upgradeable
The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.
Scope of Work
This audit encompasses the evaluation of the client-side codebase of the Web3 Raffle Platform. The assessment was based on the provided source files and understanding of the application's intended functionality.
The auditing process consisted of the following systematic steps:
- Specification and Architecture Review: Analyze the provided information, project description, source code structure, and user interface interactions to fully understand the application's scope, architecture, and functionality from a client-side perspective.
- Manual Code Examination: Conduct a thorough review of the frontend source code (primarily TypeScript/JavaScript and React components) to identify potential security vulnerabilities, logic flaws, and areas for improvement.
- Functionality Alignment: Assess if the client-side code appears to implement the described specifications and intended user-facing functionalities, noting potential discrepancies or areas of concern.
- Input and Data Handling Analysis: Examine how user inputs are processed, how data is fetched and displayed, and how application state is managed on the client-side, looking for vulnerabilities like XSS, insecure data storage, or improper handling of sensitive information.
- Component and Interaction Analysis: Review key components, their interactions, and critical user workflows (such as authentication, ticket purchasing, and admin functions) to identify potential security weaknesses or edge cases from the client's perspective.
- Best Practices Evaluation: Assess the client-side codebase against established web development and security best practices (e.g., OWASP Top 10 considerations relevant to frontend, secure dependency management, proper error handling) to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the client-side application code.
Note: This review focused on the client-side codebase. A comprehensive security assessment of the Web3 Raffle Platform would also require dedicated reviews of the backend API and any Solana smart contracts, which were outside the direct scope of this specific client-side examination. Changes to the codebase after this review may introduce new conditions or vulnerabilities not covered.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
This initial security audit of the Web3 Raffle Platform's client-side codebase identified 9 distinct issues (excluding informational items) spanning critical transaction handling, cross-site scripting vulnerabilities, authentication token management, authorization enforcement, and WebSocket security. Our goal is to ensure that the development team understands the scope of work required to enhance the security posture of the frontend application.
The frontend application integrates with a backend API and the Solana blockchain. While the component structure is generally standard for a React application, the identified vulnerabilities, if unaddressed, could expose users to risks such as fund loss, session hijacking, and denial of service for certain features. A phased remediation plan focusing on the highest-risk areas is recommended. It is crucial to note that this audit was limited to the client-side code; a comprehensive security assessment must also include the backend API and any associated Solana smart contracts.
Technical Summary (Client-Side Findings)
- Critical Transaction Handling: A critical race condition was identified in the multi-step ticket purchase flow (Backend Reserve -> On-chain Pay -> Backend Confirm), potentially leading to users paying but not receiving tickets, or overselling.
- Web Security (XSS): A high-severity Cross-Site Scripting (XSS) vulnerability exists due to rendering unsanitized HTML from draw descriptions via
dangerouslySetInnerHTML. - Authentication & Tokens: JWTs are stored in
localStorage, making them vulnerable to XSS attacks and session hijacking. Incomplete logout logic was also noted upon client-side token expiry detection. - Authorization: The application relies heavily on backend API enforcement for admin functionalities, as client-side role checks are primarily for UI and can be bypassed.
- Data Integrity & API Interaction: Potential for trusting client-side data (like ticket cost) in the purchase flow, requiring robust backend validation. Manual attachment of authorization headers is error-prone.
- Secure Communication: Insecure WebSocket configuration is possible if WSS is not enforced, and no explicit token-based authentication for the WebSocket connection itself was observed.
Key Recommendations (Client-Side)
- Ticket Purchase Flow: Implement robust transactional integrity in the backend for the ticket purchase process. The on-chain transaction should be the primary source of truth, or the backend needs atomic operations.
- XSS Prevention: Sanitize all HTML content derived from external sources (like draw descriptions) using a library like DOMPurify before rendering with
dangerouslySetInnerHTML. - Token Management: Migrate JWT storage from
localStoragetoHttpOnlycookies. Ensure logout processes fully clear all authentication state. - Authorization Enforcement: Reinforce that all backend API endpoints serving sensitive data or actions must rigorously validate JWTs and associated roles. Client-side checks are insufficient for security.
- Input and Price Validation: Backend systems must always re-validate critical data like prices and quantities against authoritative sources before finalizing transactions.
- API Call Security: Implement an Axios request interceptor for consistent and secure attachment of authorization headers.
- WebSocket Security: Ensure WebSocket connections use WSS and implement token-based authentication for the connection.
Recommended Remediation Focus (Client-Side)
- Critical Vulnerability Remediation:
- Address the race condition in the
TicketPage.tsxpurchase flow by redesigning the backend logic for atomicity and reliability, potentially making the on-chain transaction the definitive record or using a robust distributed lock/transactional system for the reserve-pay-confirm sequence.
- Address the race condition in the
- High Severity Vulnerability Remediation:
- Implement HTML sanitization (e.g., DOMPurify) for
draftToHtmloutput inTicketPage.tsxto prevent XSS. - Transition JWT storage from
localStoragetoHttpOnlycookies to protect against XSS-based token theft. - Review and ensure all backend endpoints correctly authorize requests based on validated JWT claims, especially for admin functionalities.
- Implement HTML sanitization (e.g., DOMPurify) for
- Medium & Low Severity Vulnerability Remediation:
- Strengthen backend validation for all client-provided data, especially financial transaction parameters like 'cost'.
- Ensure the logout process in
UserContextis comprehensively triggered upon token expiry detection inuseCheckAuthRedirect. - Secure WebSocket communications (enforce WSS, implement JWT-based auth for the socket connection).
- Refactor API calls to use an Axios interceptor for setting Authorization headers.
Note: This report summary covers only the client-side code of the Web3 Raffle Platform. No review of the backend API or Solana smart contracts was performed as part of this specific analysis. These components are critical to the overall security of the platform and require their own dedicated security audits. We recommend integrating these findings into your development backlog and verifying remediation with follow-up reviews before any production launch or significant updates.
Files and details
Findings and Audit result
critical Issues | 1 findings
Resolved
#1 critical Issue
Race Conditions in Ticket Purchase Flow
The ticket purchase involves a backend reservation, an on-chain payment (SOL/USDT), and a backend confirmation. This sequence is vulnerable to race conditions. If the on-chain payment succeeds but the subsequent backend confirmation fails, the user might lose funds without receiving a ticket. Conversely, issues with reservation logic could lead to overselling or failed purchases despite payment. The error handling relies on a /ticket/cancelReservation call, which might not always succeed or cover all edge cases.
high Issues | 3 findings
Resolved
#1 high Issue
Cross-Site Scripting (XSS) via dangerouslySetInnerHTML
The application renders draw descriptions fetched from the backend using 'draftToHtml' and then 'dangerouslySetInnerHTML'. If an attacker can control the content of 'itemData.drawDescription' (e.g., through a compromised admin account or a backend vulnerability allowing injection into draw data), they can inject malicious scripts, leading to XSS attacks against users viewing the ticket page.
Resolved
#2 high Issue
Sensitive Data Exposure - JWT in localStorage
The application stores the JSON Web Token (JWT) and user information (including role) in localStorage. localStorage is accessible by any JavaScript code running on the same origin, making the JWT susceptible to theft if an XSS vulnerability exists anywhere in the application. A stolen JWT can be used to impersonate the user.
Resolved
#3 high Issue
Insufficient Authorization Enforcement (Client-Side Reliance)
The application uses client-side checks based on 'userInfo.role' (from localStorage via UserContext) to render admin UI and routes. While this provides a good user experience, it is not a security boundary. If backend API endpoints do not independently verify the JWT and enforce that the user has the 'admin' role, an attacker could bypass client-side controls (e.g., by modifying localStorage and directly calling admin API endpoints) to gain unauthorized access to admin functionalities.
medium Issues | 3 findings
Resolved
#1 medium Issue
Trusting Client-Side Data for Critical Operation (Ticket Price)
In the 'purchaseTicket' function, the 'cost' of the ticket, although initially fetched from the backend, is passed through client-side logic and then used to determine the payment amount for on-chain transactions. A malicious user could potentially manipulate this 'cost' on the client-side before the payment functions ('payInSol', 'payInUSDT') are called. The backend must re-validate the price.
Resolved
#2 medium Issue
Incomplete Logout on Client-Side Token Expiry Detection
The 'useCheckAuthRedirect' hook's 'checkTokenExpiration' function removes 'userInfo' from localStorage upon detecting an expired or invalid token but does not call the 'logout()' function from 'UserContext'. The 'logout()' function is responsible for clearing 'isAuthenticated' from localStorage and updating the context's state. This discrepancy could lead to inconsistent UI or behavior where the application briefly considers the user authenticated despite an expired token.
Resolved
#3 medium Issue
Insecure WebSocket Configuration/Authentication
The WebSocket connection is initialized via 'VITE_API_SOCKET_URL'. 1. It's not explicitly configured for WSS, potentially allowing unencrypted WS if the server doesn't enforce it. 2. There is no visible mechanism for passing the user's JWT to authenticate the WebSocket connection itself. This could allow unauthenticated users to connect or access unauthorized socket rooms/events if not handled server-side (e.g., via cookies, though explicit token auth is better for SPAs).
low Issues | 2 findings
Resolved
#1 low Issue
Manual Attachment of Authorization Headers
The JWT Bearer token is manually added to the 'headers' option of each Axios API call throughout the application. This pattern is prone to error, as a developer might forget to include the header for a protected endpoint.
Resolved
#2 low Issue
Potentially Redundant Nested Context Provider
The 'AdminSidebar.tsx' component, which is itself rendered within the context of a 'UserProvider' from 'App.tsx', wraps its own routes in another '<UserProvider>'. This is likely unnecessary and could lead to confusion or subtle bugs if the context values were to diverge.
informational Issues | 1 findings
Resolved
#1 informational Issue
Client-Exposed Configuration Variables
Environment variables like 'VITE_API_REOWNKIT_PROJECTID', 'VITE_API_ADMIN_WALLET_ADDRESS', 'VITE_API_URL', 'VITE_API_RPC_URL', and 'VITE_API_SOCKET_URL' are embedded in the client-side bundle. This is typical for frontend applications but means these endpoints and addresses are publicly visible.