GameFi rookie debuts: Fren Pet, a full-chain game from a security perspective

After the Friend.tech craze subsided, Fren Pet, a blockchain-based blockchain game built by two developers, captured the market’s attention. From November 19th to 20th, thanks to the official attention of Base and the gameplay of Fren Pet’s social fission, Fren Pet became popular on social media and became a GameFi rookie.

While the number of Fren Pet users is growing rapidly, the safety aspect remains unobstructed. Today, the Beosin security team will analyze the design mechanism and contract code of Fren Pet to help you understand the potential risks.

Mechanism analysis of Fren Pet

Fren Pet’s current game consists of pet minting, pet feeding, pet battles against other users, wheel of fortune, and dice rolling. Game users who participate in Fren Pet first need to mint pets (NFTs), and each pet needs to spend 100 FP tokens for minting (if other users subsequently mint pets, the spent FP will be returned to the user), and then users need to pay FP tokens to buy apples, coffee and other props to feed their pets to avoid the pet’s TOD (Countdown to Death) to zero, that is, the NFT held will be automatically destroyed.

Pet Points are awarded for feeding pets, the higher the points, the more ETH rewards you get, and the ETH rewards come from the transaction tax on FP tokens, which is subject to a 5% tax on each transaction and 2% is distributed to gamers. Therefore, the more users who participate, the more demand for FP tokens, the greater the trading volume of FP tokens, and the more ETH will be rewarded.

Fren Pet Contract Analysis

Fren Pet’s main contract address is 0x85b157EbaAF289De5301aE6694B651BF3b8df1C3, its NFT contract address is 0x5b51Cf49Cb48617084eF35e7c7d7A21914769ff1, and its token contract address is 0xFF0C532FDB8Cd566Ae169C1CB157ff2Bdc83E105 The Beosin VaaS tool scanned the contract, combined with the analysis of Beosin’s security audit experts, and found that the contract had the following potential security risks:

Beosin VaaS

Fren Pet Main Contract

The Fren Pet main contract is primarily responsible for the game content and reward distribution mentioned above. Here are some suggestions to improve the security of their contracts:

1. Add nonReentrant modifier

In the redeem and kill functions of the contract, the developer should confirm that the function is not at risk of re-entrancy attacks. It is recommended to use the nonReentrant modifier of the openzeppelin anti-reentrant contract to avoid re-entrancy attacks.

2. Use a secure random number generator

The nonce used by the Fren Pet main contract is generated from blocks and sender addresses, and it is safer to use a Verifiable Random Function like Chainlink to generate reliable and fair nonce numbers.

3. Pay attention to access control

The Fren Pet main contract uses the isApproved modifier to control whether the caller has permission to call the function, which requires the developer to be very familiar with their project’s business logic and confirm that the permission will not be bypassed. In the Fren Pet V2 contract, the issue of access control still needs to be paid attention to.

####Fren Pet NFT 合约

The overall structure of the Fren Pet NFT contract is as follows:

The FrenpetNFT contract inherits ERC721 and is responsible for the minting and burning of NFTs, and IRenderer is responsible for processing the metadata of Fren Pet NFTs. It is recommended to emit events when its setRenderer and setMinter functions are called, so that the outside world can listen and track the transfer of relevant information. **

Fren Pet Token Contract

1. Centralization Risk

The token contract has multiple onlyOwner functions, such as the blacklist function and the updateBuyFees function. These functions can have a huge impact on the trading of tokens. The owner of the contract can modify the transaction fee, block the user from buying or selling, and add an address blacklist:

2. Missing timelock

The Fren Pet token contract does not have a time lock to limit the operation rights of the contract holder. While some functions in the contract, such as withdrawStuckToken() and updateSwapEnabled(), allow contract holders to take action against the contract in an emergency to protect user assets, the lack of timelocks can allow these functions to be abused. In this case, the user and the security company do not have enough time to react to the actions of the contract holder.

Beware of phishing risks!

In addition to contract risks, due to the popularity of Fren Pet, related phishing websites and social media accounts are also emerging in an endless stream. Remind users not to click on fake links, such as links from Google searches, and it is best to go through other social platforms for secondary verification. Such fake accounts often tweet that airdrops of relevant tokens have been opened to lure users into phishing websites.

Fren Pet phishing website

There are some anti-phishing tips to keep in mind, try to avoid phishing, or consider installing the Beosin Anti-Phishing plugin to help you identify phishing sites. **

Download link:

Summary

The Fren Pet contract has no obvious business logic vulnerabilities, but the centralization risk of the contract is obvious, and some code has a more secure implementation to improve the security of its contract. Prior to this, there have been many GameFi and SocialFi crazes in the market, and ordinary users are prone to FOMO emotions and blindly fall into the fishing trap. Users need to recognize that Fren Pet is just an attempt by two developers in the Web3 field, and users should do a good job of fund management and project research, and participate rationally.