Soul Society, a Web3 social service and our latest client, has recently embraced the innovative concept of Growth-Type Soul-Bound Tokens (SBTs). These tokens are a unique blend of technology and user engagement, allowing people to participate in various activities and acquire rewards and SBTs that define their digital identities. Each user can own multiple SBTs, which are visible publicly and can be integrated into third-party services.
Hacken’s thorough audit of Soul Society’s smart contract resulted in a remarkable final score of 10 out of 10. This case study examines our team’s audit approach, key findings, and the impact of our analysis on the platform’s security and dynamism.
Soul Society has approached Hacken requesting a comprehensive Smart Contract Code Review and Security Analysis. The primary objective of this audit was to scrutinize the security aspects of the client’s contracts to ensure the robustness and reliability of their Growth-Type SBT protocol.
The audit team comprised our experts in Solidity and EVM auditing, including Viktor Lavrenenko as the Smart Contract Auditor, David Camps Novi as the Smart Contract Audits Lead, and Paul Fomichov overseeing the process as the Smart Contract Audits Approver.
Our auditors tested and reviewed the following contracts:
SoulSocietySBT: a custom SBT contract that can mint, burn and grow SBTs.
HonToken: an ERC20 custom token contract that can mint and burn HON Tokens and transfer ownership.
We identified several issues threatening the system and recommended fixes. The Soul Society developers promptly solved all of them during the remediation phase.
Requirements Violation: The supply of HON tokens was found to be unlimited, contrary to standard practices.
Token Burn Non-Compliance: The process for burning tokens did not align with the ERC721 standard, leading to data inconsistencies.
Excessive Permissions: An overly permissive role allowed the owner to burn tokens from users without consent or prior notice.
Missing Safety Checks: The absence of safety checks for Non-External Owned Account (EOA) receivers of tokens could result in locked tokens.
Centralized Growth System: The growth level update lacked user approval, leading to a highly centralized growth mechanism.
Lower Severity Issues
Issues like floating pragma, missing events for critical value updates, missing URI length checks, and inefficient code in the setProtected() function were also noted.
In addition to the specific security concerns addressed, the overall quality of Soul Society’s smart contract was found to be exceptionally high – 10 out of 10. The audit revealed:
Documentation Quality: The documentation quality scored a perfect 10 out of 10. It included comprehensive functional requirements such as a clear description of contract purposes, detailed project features, business logic, and use cases. The technical description was complete, with all necessary environment configurations provided.
Code Quality: Similarly, the code quality was also rated 10 out of 10. The development environment was well-configured, and best practices in smart contract development were duly followed.
Test Coverage: Although the code coverage of the project was 0%, given the project’s size with less than 250 Lines of Code, this level of test coverage was deemed acceptable and did not affect the final score.
Security Score: Post-audit, the code contained no issues, earning a security score of 10 out of 10. This exemplary score underscores the robustness and reliability of the smart contracts used by Soul Society.
The audit of Soul Society’s smart contracts was a critical step in enhancing the security and efficiency of their Growth-Type SBTs protocol. The identification and subsequent resolution of these issues not only fortified the protocol against potential vulnerabilities but also aligned its practices with industry standards. Implementing recommended changes has significantly improved Soul Society’s smart contracts, ensuring a more secure and user-centric experience.
This case study exemplifies the necessity of rigorous smart contract audits in the dangerous Web3, especially for innovative concepts. By proactively addressing these security concerns, Soul Society has set a precedent in the Web3 community for operational excellence and commitment to user safety.
Want to improve your security?
share via social
Subscribe to our research
Enter your email address to subscribe to Hacken Reseach and receive
notifications of new posts by email
Radix is a layer-1 network for Web3 and DeFi decentralized applications (dApps) and users. It seeks to create a scalable, secure-by-design, and composable DeFi platform through its Radix Engine application layer and its Cerberus consensus layer.
The Radix Engine has undergone a comprehensive security audit by Hacken, receiving the highest possible score 10/10.
Cryptostake, a non-custodial and high-reward staking service for proof-of-stake blockchains like Ethereum, Polkadot, and Cosmos, entrusted Hacken with performing an independent security assessment of their mobile applications. Specifically, non-custodial wallets for iOS and Android. As a result of Hacken’s most thorough mobile penetration testing, Cryptostake Wallets received a maximum 10/10 score. Let’s take a closer