Overview
As blockchain-based gaming and NFT systems gain traction, the underlying infrastructure must be built on hardened, auditable foundations. LoL Land, developed by YGG (Yield Guild Games) and deployed on the EVM-compatible Abstract Chain, features off-chain signature-based claiming, token deposits, and ERC-721-compliant minting, all of which introduce complex risks around replay protection, token accounting, and backend coordination.
FailSafe was engaged to audit the smart contract suite underpinning LoL Land, with focused priority on domain separation, SafeERC20 adherence, input parameter bounds, and lifecycle controls across both fungible and non-fungible token flows.
This case study details the audit lifecycle: our testing methodology, the specific vulnerabilities discovered, their impact scope, and the mitigation strategies advised. It serves smart contract engineers and protocol teams looking to secure cross-domain minting and claiming systems with off-chain orchestration.
Project Details
Project: LoL Land by YGG (Solidity)
URL: https://www.lol.land
Source Code: https://github.com/YGG-Vietnam/LOLLANDSC
Initial Commit: 57f125c79513f55ebc0e7871036124a80d338bf9
Timeline: 19th May 2025 – 2nd June 2025
Findings Summary
We identified six issues across various levels of severity. All findings were reported to the LoL Land team, with two fully resolved, three acknowledged, and one partially mitigated during follow-up implementation reviews.
| ID | Title | Severity | Status |
|---|---|---|---|
| 01 | Missing Domain Separation Enables Cross-Instance Signature Replay | High | Resolved |
| 02 | Zero-Amount ETH Deposits Enable Package-ID Spam and Backend Griefing | High | Partially Resolved |
| 03 | Unsafe ERC-20 Deposit Calls Allow Silent Failures | Medium | Resolved |
| 04 | Unrestricted redeemType Parameter Allows Arbitrary Values | Medium | Acknowledged |
| 05 | No Maximum Cap on Per-Avatar Mint Allowances | Low | Acknowledged |
| 06 | Best-Practice Enhancements for Withdrawals and Deposit Logic | Info | Acknowledged |
1. Missing Domain Separation Enables Cross-Instance Signature Replay
Severity: High
Status: Resolved
Overview:
The claimTokens logic used ECDSA signatures without encoding the contract address or chain ID in the signed data. This omission allowed a valid signature from one deployment to be replayed across another with the same signer key, resulting in cross-instance fund drain vulnerabilities.
Comment:
Resolved by introducing domain separation via address(this) and block.chainid, aligning with EIP-712 structured signing to protect against replay vectors.
2. Zero-Amount ETH Deposits Enable Package-ID Spam and Backend Griefing
Severity: High
Status: Partially Resolved
Overview:
ETH deposits with amount = 0 could still emit TokenDeposited events with arbitrary packageIds, enabling attackers to spam backend systems that rely on event indexing for in-game rewards or purchases.
Comment:
Backend-integrated griefing is mitigated with non-zero amount checks. However, full protection against duplicate or malicious packageId values is still pending backend-side integration and sequencing enforcement.
3. Unsafe ERC-20 Deposit Calls Allow Silent Failures
Severity: Medium
Status: Resolved
Overview:
The deposit functions accepted tokens via raw transferFrom calls without verifying return values, potentially allowing false-positive events for failed token transfers (particularly non-standard ERC-20s like ERC-777).
4. Unrestricted redeemType Parameter Allows Arbitrary Values
Severity: Medium
Status: Acknowledged
Overview:
The redeemType argument was not validated or restricted, allowing any uint256 input. This could result in unrecognized or unintended redemption flows in off-chain systems expecting defined enums.
Comment:
The developers acknowledged.
5. No Maximum Cap on Per-Avatar Mint Allowances
Severity: Low
Status: Acknowledged
Overview:
The purchasePackageWithDeposit function allowed unbounded increases to mint allowances per avatar. A compromised backend key could authorize mass minting, undermining rarity and breaking collection constraints.
Comment:
No mint caps are currently enforced. Developers acknowledged the risk and plan to monitor mint behavior closely on the backend. A future cap may be implemented if abuse occurs.
6. Best-Practice Enhancements for Withdrawals and Deposit Logic
Severity: Info
Status: Acknowledged
Overview:
Recommendations were made to:
- Emit explicit events (YggWithdrawn, CollectedFundsWithdrawn) for better fund transparency.
- Add sanity checks to withdrawal balance logic.
- Limit batch sizes in mint operations to avoid out-of-gas risks.
Comment:
The developers acknowledged.
Conclusion
The LoL Land audit illustrates the nuanced risks involved in cross-contract coordination and signature-based flows. While the system is robust in its design, features such as domain separation, structured input enforcement, and defensive event handling are essential to safeguarding both user trust and backend logic.
FailSafe’s assessment focused not only on smart contract correctness but also on off-chain dependency alignment, behavioral predictability under adversarial conditions, and gas-aware architecture. The LoL Land team responded quickly and implemented impactful fixes, indicating a mature security posture ahead of broader user rollout.
For technical integration support, or to initiate a similar audit, contact us for a quote!
Get a quote in 1 hour!
Related Articles
dbook Smart Contract Audit
dbook is a fully on-chain EVM orderbook exchange designed to deliver decentralized trading with high performance, gas efficiency, and self-custody. The protocol...
Aegis JUSD Smart Contract Audit
Aegis is a multichain stablecoin protocol powering JUSD and YUSD, featuring minting, redemption, staking vaults, rewards distribution, and cross-chain bridging ...
The Moats V3 Smart Contract Audit
The Moats are a flexible staking and rewards protocol enabling project teams to configure easy governance participation, time-weighted incentives, and multi-tok...
Ready to secure your project?
Get in touch with our security experts for a comprehensive audit.
Contact Us