STEPN Audit Report
Copyright © 2022 by Verilog Solutions. All rights reserved.April 4, 2022
by Verilog Solutions
This report presents our engineering engagement with STEPN, a Game-Fi/Social-Fi Web3 application. Users could acquire STEPN NFT sneakers and earn rewards by engaging in outdoor activities. STEPN has two tokens: GST & GMT.
| Project Name | STEPN |
|---|---|
| Repository Link | |
| Commit Hash | c07ff86e5e8060de0cd10d6842405964c2cc5d13 |
| Language | Solidity, Rust |
| Chain | BSC, Solana |
About Verilog Solutions
About Verilog Solutions
Founded by a group of cryptography researchers and smart contract engineers in North America, Verilog Solutions elevates the security standard for Web3 ecosystems by being a full-stack Web3 security firm covering smart contract security, consensus security, and operational security for Web3 projects.
Verilog Solutions team works closely with major ecosystems and Web3 projects and applies a quality above quantity approach with a continuous security model. Verilog Solutions onboards the best and most innovative projects and provides the best-in-class advisory service on security needs, including on-chain and off-chain components.
Table of Contents
Table of Contents
Service Scope
Service Scope
Service Stages
Service Stages
Our auditing service for STEPN includes the following two stages:
- Pre-Audit Consulting Service
- Audit Service
- Pre-Audit Consulting Service
As a part of the pre-audit service, the Verilog Solutions team worked closely with the STEPN development team to discuss potential vulnerability and smart contract development best practices in a timely fashion. Verilog Solutions team is very appreciative of establishing an efficient and effective communication channel with the STEPN team, as new findings are often exchanged promptly and fixes were deployed quickly, during the preliminary report stage.
- Audit Service
The Verilog Solutions team conducted a thorough study of the STEPN code. The list of findings, along with the severity and solution, is available under the section Findings & Improvement Suggestions.
Methodology
Methodology
- Code Assessment
- We evaluate the overall quality of the code and comments as well as the architecture of the repository.
- We help the project dev team improve the overall quality of the repository by providing suggestions on refactorization to follow the best practice of Web3 software engineering.
- Code Logic Analysis
- We dive into the data structures and algorithms in the repository and provide suggestions to improve the data structures and algorithms for the lower time and space complexities.
- We analyze the hierarchy among multiple modules and the relations among the source code files in the repository and provide suggestions to improve the code architecture with better readability, reusability, and extensibility.
- Access Control Analysis
- We perform a comprehensive assessment of the special roles of the project, including their authorities and privileges.
- We provide suggestions regarding the best practice of privilege role management according to the standard operating procedures (SOP).
Audit Scope
Audit Scope
Our auditing for STEPN covered the repository:
- https://github.com/stepnxyz/bnbcontracts:
commit hash c07ff86e5e8060de0cd10d6842405964c2cc5d13
contains the smart contracts source code for GST & upcoming BSC NFT contract.
Project Summary
Project Summary
STEPN is a Game-Fi/Social-Fi project with a dual-token system (GMT and GST) and an NFT system (STEPN Sneaker). Users acquire the STEPN Sneaker to participate in the move-and-earn program and earn GST and/or GMT. GMT and GST can be used to upgrade Sneakers and increase the rate of earning. GMT is the governance token, and it is currently deployed on Solana and BNB Chain. GST is the unlimited-supply reward token, and it is currently deployed on Solana.
Findings & Improvement Suggestions
Findings & Improvement Suggestions
| Severity | Total | Acknowledged | Resolved |
| High | 0 | 0 | 0 |
| Medium | 2 | 2 | 0 |
| Low | 0 | 0 | 0 |
| Informational | 0 | 0 | 0 |
High
High
none ; )
Medium
Medium
- Centralization Risks on
GreenSatoshiToken.solSeverity Medium Source contracts/GreenSatoshiToken.sol: #L16 Status Acknowledged Description
The current contract code, GST token has centralization risks which means the project team has the ability to control the token supply without any limitation.
GreenSatoshiToken.solis an ERC20 standard token contract, it inherits openzeppelin’sERC20.sol,ERC20Burnable.sol, andOwnable.sol. GST token has amint()function which allowsOwnerof the contract to mint more tokens to a certain address.We do not suggest this type of owner address to be an EOA because private key leaks may result in the unlimited token supply issue. Besides, some hard-coded limitations such as limited inflation rate, and limitation on interaction per day would help to enhance the overall security as well.
Exploit Scenario
Since the current contract design involves admin control. Thus, the leakage of the
owner's private key may result in irreparable loss. The hacker who got access to the contract address can call functiontransferOwnership()to change theownerto a new address that is fully controlled by the hacker himself.
Recommendations
uses a
multi-sig walletto prevent a single point of failure. Moreover, each signer of themulti-sig walletshould use a hardware wallet to securely manage their private key.
Results
Acknowledged.
[Reply from Project Team] As disclosed in the STEPN white paper, GST has an unlimited supply therefore we have to enable the function to mint an unlimited amount of GST.
- Centralization Risks on
STEPNNFT.solSeverity Medium Source contracts/STEPNNFT.sol: #L28 Status Acknowledged Description
The current
STEPNNFTcontract comes with centralization risks, which means the project team has control over supply of ERC721 tokens.STEPNNFT.solinherits methods from openzeppelin’sERC721.solandOwnable.solcontracts which come with the_safemint()function andonlyOwner()modifier respectively. In this case, themint()function fromSTEPNNFT.solallows the owner to mint unlimited NFT tokens with thetokenIdspecified in the second parameter to theaddressspecified in the first parameter.A private key leak from the owner of the contract may result in the supply of NFT tokens without limitations. Furthermore, restrictions over the interaction or amount of tokens allowed to be minted during a certain time would help improve the security.
Exploit Scenario
Since the current contract design involves admin control, the leakage of the
owner's private key may result in irreparable loss. The hacker who got access to the contract address can call functiontransferOwnership()to change theownerto a new address that is fully controlled by the hacker himself.
Recommendations
The use of a
multi-sigwallet would prevent a single point of failure. Moreover, each signer of themulti-sig walletshould use a hardware wallet to securely store their private key.
Results
Acknowledged.
[Reply from Project Team] STEPN’s NFT sneaker also has an unlimited supply, therefore we have to beagle the function to allow an unlimited amount of NFT sneakers to be minted by our users.
Low
Low
none ; )
Informational
Informational
none ; )
Access Control Analysis
Access Control Analysis
Below is the summary of GMT & GST token info:
| Network | Token | Token Address |
|---|---|---|
| Solana | GMT | 7i5KKsX2weiTkry7jA4ZwSuXGhs5eJBEjY8vVxR4pfRx |
| Solana | GST | AFbX8oGjGpmVFywbVouvhQSRmiW2aR1mohfahi4Y2AdB |
| BNB | GMT | 0x3019BF2a2eF8040C242C9a4c5c4BD4C81678b2A1 |
| BNB | GST | n/a (coming soon) |
Deployment on Solana
Deployment on Solana
STEPN dev team used Solana Token Program to create both GMT & GST tokens. Token Program defines a common implementation for Fungible and Non-Fungible tokens.
The document of the Token Program: https://spl.solana.com/token
The Github of Token Program: https://github.com/solana-labs/solana-program-library
As can be seen from the Solscan, both GMT & GST tokens used Solana Token Program:
Besides, the STEPN project dev team already turned off the emission right for GMT Token as can be seen in the screenshot, GMT token has a fixed supply.
Deployment on BNB Chain
Deployment on BNB Chain
Currently, only the GMT token has been deployed on BNB Chain, and the token has been implemented by the Binance Bridge team. The contract deployment address is 0x3019BF2a2eF8040C242C9a4c5c4BD4C81678b2A1.
Below is the summary of the GMT token on the BNB Chain:
GMT Info
| Title | Info |
|---|---|
| Network | BNB Chain |
| Token | GMT |
| Upgradable Contract? | Yes |
| Proxy Address | 0x3019BF2a2eF8040C242C9a4c5c4BD4C81678b2A1 |
| Implementation Address | 0xba5fe23f8a3a24bed3236f05f2fcf35fd0bf0b5c |
Implementation Contract Source Code can be found in GMT BNB Implementation. In summary, the implemented smart contracts follow the ERC20 standards.
Reference Code
Reference Code
In this section, we listed the deployed contract on-chain for your reference.
GST Token Contract
GST Token Contract
STEPN team implemented a solidity version of GST token, which uses Openzeppelin’s ERC20 standard libraries:
// contracts/GreenSatoshiToken.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "@openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol";
import "@openzeppelin/contracts/access/Ownable.sol";
/**
* Green Satoshi Token
* @author STEPN
*/
contract GreenSatoshiToken is ERC20, ERC20Burnable, Ownable {
constructor() ERC20("GreenSatoshiToken", "GST") {}
function mint(address to, uint256 amount) public onlyOwner {
_mint(to, amount);
}
function decimals() public view virtual override returns (uint8) {
return 8;
}
}STEPN NFT contract
STEPN NFT contract
STEPN team implemented a solidity version of GST token, which uses Openzeppelin’s ERC20 standard libraries:
// contracts/STEPNNFT.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
import "@openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol";
import "@openzeppelin/contracts/access/Ownable.sol";
/**
* STEPN NFTs
* @author STEPN
*/
contract STEPNNFT is ERC721Enumerable, Ownable {
// base uri for nfts
string private _buri;
constructor() ERC721("STEPNNFT", "SNFT") {}
function _baseURI() internal view override returns (string memory) {
return _buri;
}
function setBaseURI(string memory buri) public onlyOwner {
require(bytes(buri).length > 0, "wrong base uri");
_buri = buri;
}
function mint(address to, uint256 tokenId) public onlyOwner {
_safeMint(to, tokenId);
}
function burn(uint256 tokenId) public virtual {
require(
_isApprovedOrOwner(_msgSender(), tokenId),
"burn caller is not owner nor approved"
);
_burn(tokenId);
}
}Appendix I: Severity Categories
Appendix I: Severity Categories
| Severity | Description |
|---|---|
| High | Issues that are highly exploitable security vulnerabilities. It may cause direct loss of funds / permanent freezing of funds. All high severity issues should be resolved. |
| Medium | Issues that are only exploitable under some conditions or with some privileged access to the system. Users’ yields/rewards/information is at risk. All medium severity issues should be resolved unless there is a clear reason not to. |
| Low | Issues that are low risk. Not fixing those issues will not result in the failure of the system. A fix on low severity issues is recommended but subject to the clients’ decisions. |
| Informational | Issues that pose no risk to the system and are related to the security best practices. Not fixing those issues will not result in the failure of the system. A fix on informational issues or adoption of those security best practices-related suggestions is recommended but subject to clients’ decision. |
Appendix II: Status Categories
Appendix II: Status Categories
| Status | Description |
|---|---|
| Unresolved | The issue is not acknowledged and not resolved. |
| Partially Resolved | The issue has been partially resolved |
| Acknowledged | The Finding / Suggestion is acknowledged but not fixed / not implemented. |
| Resolved | The issue has been sufficiently resolved |
Disclaimer
Disclaimer
Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit is detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze.
In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.