Smart Contract Audit of Sock’s ERC-4337 Compliant Self-Custodial Trading Platform

We are glad to present our latest client, Sock—a cutting-edge, non-custodial investing application that empowers users with full control over their cryptocurrency assets. The platform is built upon the ERC-4337 smart contracts, ensuring a smooth account abstraction experience.

Our team at Hacken has meticulously audited Sock’s smart contracts, and we’re excited to share our findings.

Heads up: Sock has achieved an impressive audit score of 9.5 and a flawless security rating of 10/10.

Introduction to Sock

Delving deeper into Sock, it’s more than just an investing app—it’s a fortress of self-custody. Its mission is to help you build wealth with crypto, safely. Compatible with iOS and Android, Sock is designed with the user’s privacy in mind, never requiring access to private keys. Transactions are executed exclusively on-chain via smart contracts. Sock uses account abstraction to provide best-in-class features like gas-less transactions and automated orders (stop loss and limit/take profit).

Furthermore, Sock resonates with Hacken CEO’s well-documented stance on memecoins by offering a carefully selected assortment of tokens with genuine utility.

Understanding ERC-4337 and Its Significance

Account abstraction is a leap forward from the traditional externally owned accounts (EOAs), and the ERC-4337 is at the forefront of this evolution. It heralds a new era of decentralization and gas abstraction without necessitating any changes to the consensus protocol, accommodating a wider range of signature schemes.

ERC-4337 is an ingenious solution that allows for the use of UserOperation objects, which Bundlers consolidate into single transactions on the Ethereum blockchain.

This standard has rapidly gained traction, with adoption by leading platforms such as Ethereum, Polygon, and Avalanche, among others. Now, Sock has also embraced ERC-4337, a move confirmed through Hacken’s comprehensive audit.

The Audit: Ensuring ERC-4337 Compliance

The aim of the audit was to provide Sock’s team with a rigorous external evaluation, verifying the integrity and compliance of their smart contracts with the ERC-4337 standard—an inaugural review for our team.

Audit Scope & Details

Language & Platform: Solidity; Ethereum Virtual Machine (EVM)

Contract Types: Staking, Factory, Proxy, ERC4337, Account Abstraction, Signatures

Audit Duration: 18 days

The audit was conducted by Hacken’s leading experts, David Camps Novi and Premyslaw Swiatowiec. It encompassed 10 contracts and 4 privileged roles, scrutinizing Sock’s trading platform’s ability to provide secure self-custody storage for cryptocurrencies. The platform’s architecture incorporates SockAccount for ERC-4337 transactions and SockOwnable for discrete access controls, facilitating efficient transaction management within the ecosystem.

Key Findings

The audit underwent two rounds of review, featuring constructive, direct dialogue between Sock developers and Hacken auditors. Initial findings were categorized as follows:

• Critical: 2
• High: 3
• Medium: 4
• Low: 5

Before delving into specifics, we are pleased to report that all issues were rectified during the remediation phase.

Focusing on the most interesting issues, particularly those concerning ERC-4337 implementation:

• Signature Replay Attack: A high-impact risk was identified, where the SockAccount.sol contract’s execute() function was susceptible to a signature replay attack due to it allowing calls from both the owner and the sockOwner, contrary to EIP-4337’s specification.
• Missing Access Controls in UUPS: The Sock system’s use of the Universal Upgrade Proxy Standard (UUPS) for smart contract upgrades revealed an absence of adequate access controls in the _authorizeUpgrade() function.
• Role Hijack: A potential vulnerability was discovered where the sockOwner role could manipulate user SockAccount addresses, potentially commandeering funds. This was neutralized by implementing appropriate access controls.

A comprehensive list of all identified issues and their remediation is available on the Sock Audit Page.

Audit Score

After resolving all issues identified in the remediation stage, Sock was awarded an exemplary final score of 9.5. Kudos to the team for acting swiftly and decisively!

Documentation Quality: 10/10

Code Quality: 9/10

Test Coverage: 93.44%

Security Score: 10/10

Final Score: 9.5/10

“Central to our vision at Sock has been a true self-custodial experience that’s safe, secure, and as easy to use as anything found in traditional finance. ERC-4337 has given us the means to deliver on that vision, and the Hacken team has been essential to ensuring our implementation has lived up to both our own rigorous standards and those of the wider community. I deeply believe in their model of building long-term relationships with their clients, and think that ongoing product-security partnerships like Sock/Hacken are one of the keys to greatly expanding the adoption of self-custodial financial solutions.”

Chris Titterton, Head of Engineering, Sock

Conclusion

The Hacken audit confirms Sock’s compliance with ERC-4337 standards, establishing it as a secure, self-custodial trading platform with a pronounced commitment to utility tokens and decentralization. Sock’s notable audit score of 9.5/10 reflects its rigorous approach to account management and transaction security. Moreover, the audit process also expanded our knowledge of this emerging standard.