A Spearbit Case Study: SAP

A Spearbit Case Study: SAP

Spearbit

Spearbit

July 22, 2024

spearbit

This article explores the successful collaboration between SAP, a leader in enterprise application software, and Spearbit, a network of top security researchers, to conduct a security review of SAP's NFT Management platform.

Key Stakeholders

SAP

As the market leader in enterprise application software, SAP helps companies of all sizes and in all industries redefine ERP and create networks of intelligent enterprises. Their end-to-end suite of applications and services enables their customers to operate profitably, adapt continuously, and make a difference worldwide. Their NFT Management platform empowers companies to leverage a new type of consumer asset class based on blockchain technology and smart contracts.

Spearbit

Spearbit is a distributed industry-leading blockchain security services firm pairing clients with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.

Why does Spearbit work with SAP?

As demonstrated through the creation of their NFT Management platform, SAP is on a mission to integrate digital assets into mainstream consumer activity while maintaining the industry-leading level of security, trust and compliance they have become known for. This push for adoption of blockchain technology in a secure manner aligns directly with Spearbit’s own goals, and as such, SAP is the ideal client to support with our network of the best web3 security talent.

Why does SAP work with Spearbit?

Security is a key pillar of SAP’s provision of enterprise application software. The team aims to foster trust by taking responsible actions in the context of security. They work to build secure-by-design solutions to assist their customers in maintaining best-in-class levels of security, privacy, compliance and transparency. External security reviews are not common practice in B2B enterprises, yet the SAP team identified the benefits of including one as an addition to their responsible action program. External security reviews offer diverse, industry-specific perspectives and recommendations, and Spearbit is the leader in conducting these for web3 technologies. With the Spearbit team’s assistance, SAP was able to select and engage a security researcher who identified a range of vulnerabilities in their codebase, provided mitigation suggestions, and enhanced their solution to be able to serve their clients at scale.

Spearbit’s experience reviewing SAP’s NFT Management platform

From March 26th to March 27th, 2024 the Spearbit team conducted a review of SAP’s NFT Management platform.

The security researcher, Mridul Garg, noted that SAP’s design was well thought out, with the team clearly defining the responsibilities and privileges of different actors. This made it more straightforward to ensure that the code was following the intended rules of the system.

In addition, he commended their dedication towards collaboration. SAP’s team was responsive and open to feedback on all aspects of the system, which helped the review run seamlessly. They initiated the process with a walkthrough of the design and the code, and worked together on splitting the fixes to align with each issue.

https://lh7-us.googleusercontent.com/docsz/AD_4nXeuy87cJqFPrmabPG6HNmnqwhmfJKu4qbkTrcDtpwN6U7_9-AORtUndvxHd5lFXFBjP-54hDOUY8c6Wdzx-my8EssE6rNdKD6nWyg7mvkNc0Qtx67kNk4Ocpl0lyfFmjZVMz4LykgsajDoaa1pay5izu42v?key=jMQwKZhPqp6xsnl_VT3uBg

SAP’s experience with Spearbit

The collaboration with Spearbit commenced after careful evaluation of multiple audit firms, with Spearbit distinguished by its professionalism and expertise. Communication with the team was seamless, facilitating an efficient process from day one.

The security review centered on the series of smart contracts supporting the NFT Management platform. This encompassed the NFT contracts, associated code, and all elements related to the deployment of digital assets for SAP’s clients, aimed at ensuring a trusted distribution process.

A standout feature of the collaboration with Spearbit was the selection of exceptional security talent to support the project. The platform's intricate nature necessitated the ability to handle hundreds of thousands of mints for clients at any given moment. Assigning the appropriate security researcher ensured the review maintained the highest standards.

Another notable highlight was the researcher’s expertise and meticulous approach. Their comprehensive examination of the codebase left no detail overlooked, addressing critical issues and optimizing gas usage to fortify the platform against potential threats. Spearbit's involvement uncovered previously unnoticed vulnerabilities and strengthened the platform’s defenses.

The optimizations in gas usage were particularly significant, identifying the most cost-effective methods for operating at scale—a critical consideration given the platform’s regular distribution of hundreds of thousands of NFTs to clients. Additionally, actionable recommendations and effective guidance through the mitigation process ensured issues were addressed promptly and effectively.

Overall, this review exemplified a dedication to providing a secure and reliable means of leveraging this emerging consumer asset class, achieving SAP’s intended goals effectively.

https://lh7-us.googleusercontent.com/docsz/AD_4nXcaeVEUwzQ4i9na1xHhqOrF4UKQwH3GwEPvz3BjsVCGQ-yuTKDjJ4nXJ1ZZ0V2hVndWHOFt4gecytfpKG-WxlKhG2KWfODE0a0OdyFwLYzWfVFwOWX9JeScrOHqSGqm8FKDbGhEGOjpFJ6qQ8jQ12FhepWv?key=jMQwKZhPqp6xsnl_VT3uBg

Conclusion

The initiative taken by the NFT Management platform team in working with Spearbit demonstrated a novel approach to achieving SAP’s wider security objectives. The collaboration between the parties allowed for the security researcher to conduct a comprehensive review and provide actionable recommendations to optimize the project.

Looking for a Security Review?

We partner with leading protocols such as Euler, Optimism, Blast, zkSync, Polygon, Aave, to provide the best possible standard of security across the crypto industry.

Interested in a review by a curated team of Web3’s leading security researchers?

Visit us at spearbit.com