STEPN Audit Report

Copyright © 2022 by Verilog Solutions. All rights reserved.

April 4, 2022

by Verilog Solutions

This report presents our engineering engagement with STEPN, a Game-Fi/Social-Fi Web3 application. Users could acquire STEPN NFT sneakers and earn rewards by engaging in outdoor activities. STEPN has two tokens: GST & GMT.

Project NameSTEPN
Repository Link
Commit Hashc07ff86e5e8060de0cd10d6842405964c2cc5d13
Language Solidity, Rust
ChainBSC, Solana

About Verilog Solutions

Founded by a group of cryptography researchers and smart contract engineers in North America, Verilog Solutions elevates the security standard for Web3 ecosystems by being a full-stack Web3 security firm covering smart contract security, consensus security, and operational security for Web3 projects.

Verilog Solutions team works closely with major ecosystems and Web3 projects and applies a quality above quantity approach with a continuous security model. Verilog Solutions onboards the best and most innovative projects and provides the best-in-class advisory service on security needs, including on-chain and off-chain components.

Table of Contents

Service Scope

Service Stages

Our auditing service for STEPN includes the following two stages:

  • Pre-Audit Consulting Service
  • Audit Service
  1. Pre-Audit Consulting Service

    As a part of the pre-audit service, the Verilog Solutions team worked closely with the STEPN development team to discuss potential vulnerability and smart contract development best practices in a timely fashion. Verilog Solutions team is very appreciative of establishing an efficient and effective communication channel with the STEPN team, as new findings are often exchanged promptly and fixes were deployed quickly, during the preliminary report stage.

  1. Audit Service

    The Verilog Solutions team conducted a thorough study of the STEPN code. The list of findings, along with the severity and solution, is available under the section Findings & Improvement Suggestions.

Methodology

  • Code Assessment
    • We evaluate the overall quality of the code and comments as well as the architecture of the repository.
    • We help the project dev team improve the overall quality of the repository by providing suggestions on refactorization to follow the best practice of Web3 software engineering.
  • Code Logic Analysis
    • We dive into the data structures and algorithms in the repository and provide suggestions to improve the data structures and algorithms for the lower time and space complexities.
    • We analyze the hierarchy among multiple modules and the relations among the source code files in the repository and provide suggestions to improve the code architecture with better readability, reusability, and extensibility.
  • Access Control Analysis
    • We perform a comprehensive assessment of the special roles of the project, including their authorities and privileges.
    • We provide suggestions regarding the best practice of privilege role management according to the standard operating procedures (SOP).

Audit Scope

Our auditing for STEPN covered the repository:

Project Summary

STEPN is a Game-Fi/Social-Fi project with a dual-token system (GMT and GST) and an NFT system (STEPN Sneaker). Users acquire the STEPN Sneaker to participate in the move-and-earn program and earn GST and/or GMT. GMT and GST can be used to upgrade Sneakers and increase the rate of earning. GMT is the governance token, and it is currently deployed on Solana and BNB Chain. GST is the unlimited-supply reward token, and it is currently deployed on Solana.

Findings & Improvement Suggestions

SeverityTotalAcknowledgedResolved
High000
Medium220
Low000
Informational000

High

none ; )

Medium

  1. Centralization Risks on GreenSatoshiToken.sol
    SeverityMedium
    Sourcecontracts/GreenSatoshiToken.sol: #L16
    StatusAcknowledged
    • Description

      The current contract code, GST token has centralization risks which means the project team has the ability to control the token supply without any limitation.

      GreenSatoshiToken.sol is an ERC20 standard token contract, it inherits openzeppelin’s ERC20.sol, ERC20Burnable.sol, and Ownable.sol. GST token has a mint() function which allows Owner of the contract to mint more tokens to a certain address.

      We do not suggest this type of owner address to be an EOA because private key leaks may result in the unlimited token supply issue. Besides, some hard-coded limitations such as limited inflation rate, and limitation on interaction per day would help to enhance the overall security as well.

    • Exploit Scenario

      Since the current contract design involves admin control. Thus, the leakage of the owner's private key may result in irreparable loss. The hacker who got access to the contract address can call function transferOwnership() to change the owner to a new address that is fully controlled by the hacker himself.

    • Recommendations

      uses a multi-sig wallet to prevent a single point of failure. Moreover, each signer of the multi-sig wallet should use a hardware wallet to securely manage their private key.

    • Results

      Acknowledged.

      [Reply from Project Team] As disclosed in the STEPN white paper, GST has an unlimited supply therefore we have to enable the function to mint an unlimited amount of GST.

  1. Centralization Risks on STEPNNFT.sol
    SeverityMedium
    Sourcecontracts/STEPNNFT.sol: #L28
    StatusAcknowledged
    • Description

      The current STEPNNFTcontract comes with centralization risks, which means the project team has control over supply of ERC721 tokens.

      STEPNNFT.sol inherits methods from openzeppelin’s ERC721.sol and Ownable.sol contracts which come with the _safemint() function and onlyOwner() modifier respectively. In this case, the mint() function from STEPNNFT.sol allows the owner to mint unlimited NFT tokens with the tokenId specified in the second parameter to the address specified in the first parameter.

      A private key leak from the owner of the contract may result in the supply of NFT tokens without limitations. Furthermore, restrictions over the interaction or amount of tokens allowed to be minted during a certain time would help improve the security.

    • Exploit Scenario

      Since the current contract design involves admin control, the leakage of the owner's private key may result in irreparable loss. The hacker who got access to the contract address can call function transferOwnership() to change the owner to a new address that is fully controlled by the hacker himself.

    • Recommendations

      The use of a multi-sig wallet would prevent a single point of failure. Moreover, each signer of the multi-sig wallet should use a hardware wallet to securely store their private key.

    • Results

      Acknowledged.

      [Reply from Project Team] STEPN’s NFT sneaker also has an unlimited supply, therefore we have to beagle the function to allow an unlimited amount of NFT sneakers to be minted by our users.

Low

none ; )

Informational

none ; )

Access Control Analysis

Below is the summary of GMT & GST token info:

Deployment on Solana

STEPN dev team used Solana Token Program to create both GMT & GST tokens. Token Program defines a common implementation for Fungible and Non-Fungible tokens.

The document of the Token Program: https://spl.solana.com/token

The Github of Token Program: https://github.com/solana-labs/solana-program-library

As can be seen from the Solscan, both GMT & GST tokens used Solana Token Program:

Besides, the STEPN project dev team already turned off the emission right for GMT Token as can be seen in the screenshot, GMT token has a fixed supply.

Deployment on BNB Chain

Currently, only the GMT token has been deployed on BNB Chain, and the token has been implemented by the Binance Bridge team. The contract deployment address is 0x3019BF2a2eF8040C242C9a4c5c4BD4C81678b2A1.

Below is the summary of the GMT token on the BNB Chain:

Implementation Contract Source Code can be found in GMT BNB Implementation. In summary, the implemented smart contracts follow the ERC20 standards.

Reference Code

In this section, we listed the deployed contract on-chain for your reference.

GST Token Contract

STEPN team implemented a solidity version of GST token, which uses Openzeppelin’s ERC20 standard libraries:

// contracts/GreenSatoshiToken.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "@openzeppelin/contracts/token/ERC20/extensions/ERC20Burnable.sol";
import "@openzeppelin/contracts/access/Ownable.sol";

/**
 * Green Satoshi Token
 * @author STEPN
 */
contract GreenSatoshiToken is ERC20, ERC20Burnable, Ownable {
    constructor() ERC20("GreenSatoshiToken", "GST") {}

    function mint(address to, uint256 amount) public onlyOwner {
        _mint(to, amount);
    }

    function decimals() public view virtual override returns (uint8) {
        return 8;
    }
}

STEPN NFT contract

STEPN team implemented a solidity version of GST token, which uses Openzeppelin’s ERC20 standard libraries:

// contracts/STEPNNFT.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
import "@openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol";
import "@openzeppelin/contracts/access/Ownable.sol";

/**
 * STEPN NFTs
 * @author STEPN
 */
contract STEPNNFT is ERC721Enumerable, Ownable {
    // base uri for nfts
    string private _buri;

    constructor() ERC721("STEPNNFT", "SNFT") {}

    function _baseURI() internal view override returns (string memory) {
        return _buri;
    }

    function setBaseURI(string memory buri) public onlyOwner {
        require(bytes(buri).length > 0, "wrong base uri");
        _buri = buri;
    }

    function mint(address to, uint256 tokenId) public onlyOwner {
        _safeMint(to, tokenId);
    }

    function burn(uint256 tokenId) public virtual {
        require(
            _isApprovedOrOwner(_msgSender(), tokenId),
            "burn caller is not owner nor approved"
        );
        _burn(tokenId);
    }
}

Appendix I: Severity Categories

SeverityDescription
HighIssues that are highly exploitable security vulnerabilities. It may cause direct loss of funds / permanent freezing of funds. All high severity issues should be resolved.
MediumIssues that are only exploitable under some conditions or with some privileged access to the system. Users’ yields/rewards/information is at risk. All medium severity issues should be resolved unless there is a clear reason not to.
LowIssues that are low risk. Not fixing those issues will not result in the failure of the system. A fix on low severity issues is recommended but subject to the clients’ decisions.
InformationalIssues that pose no risk to the system and are related to the security best practices. Not fixing those issues will not result in the failure of the system. A fix on informational issues or adoption of those security best practices-related suggestions is recommended but subject to clients’ decision.

Appendix II: Status Categories

StatusDescription
UnresolvedThe issue is not acknowledged and not resolved.
Partially ResolvedThe issue has been partially resolved
AcknowledgedThe Finding / Suggestion is acknowledged but not fixed / not implemented.
ResolvedThe issue has been sufficiently resolved

Disclaimer

Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit is detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Verilog Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze.

In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.