Audits
Services
DualDefense
Hacken Audit + Additional Crowdsourced Audit
Learn more
Services
DualDefense
Smart Contract Audit
Blockchain Protocol Audit
DORA Compliance
Virtual CISO
Penetration Testing
Cloud Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit
Retainer
DualDefense
New Approach To Blockchain Security
Hacken Audit + Additional Crowdsourced Audit
At no extra cost
2 in 1
Dual-layered protection
$0
Costs
30-Day
Crowdsourced audit
Independent
HackenProof bug hunters
Learn more
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company
Community
Community
- $HAI

Ensuring the Security of Soul-Bound Tokens in Soul Society

Ensuring the Security of Soul-Bound Tokens in Soul Society

3 minutes

Soul Society, a Web3 social service and our latest client, has recently embraced the innovative concept of Growth-Type Soul-Bound Tokens (SBTs). These tokens are a unique blend of technology and user engagement, allowing people to participate in various activities and acquire rewards and SBTs that define their digital identities. Each user can own multiple SBTs, which are visible publicly and can be integrated into third-party services.

Hacken’s thorough audit of Soul Society’s smart contract resulted in a remarkable final score of 10 out of 10. This case study examines our team’s audit approach, key findings, and the impact of our analysis on the platform’s security and dynamism.

Audit Overview

Soul Society has approached Hacken requesting a comprehensive Smart Contract Code Review and Security Analysis. The primary objective of this audit was to scrutinize the security aspects of the client’s contracts to ensure the robustness and reliability of their Growth-Type SBT protocol.

The audit team comprised our experts in Solidity and EVM auditing, including Viktor Lavrenenko as the Smart Contract Auditor, David Camps Novi as the Smart Contract Audits Lead, and Paul Fomichov overseeing the process as the Smart Contract Audits Approver.

Our auditors tested and reviewed the following contracts:

SoulSocietySBT: a custom SBT contract that can mint, burn and grow SBTs.
HonToken: an ERC20 custom token contract that can mint and burn HON Tokens and transfer ownership.

We identified several issues threatening the system and recommended fixes. The Soul Society developers promptly solved all of them during the remediation phase.

High-Severity Issues:

Requirements Violation: The supply of HON tokens was found to be unlimited, contrary to standard practices.
Token Burn Non-Compliance: The process for burning tokens did not align with the ERC721 standard, leading to data inconsistencies.
Excessive Permissions: An overly permissive role allowed the owner to burn tokens from users without consent or prior notice.

Medium-Severity Issues:

Missing Safety Checks: The absence of safety checks for Non-External Owned Account (EOA) receivers of tokens could result in locked tokens.
Centralized Growth System: The growth level update lacked user approval, leading to a highly centralized growth mechanism.

Lower Severity Issues

Issues like floating pragma, missing events for critical value updates, missing URI length checks, and inefficient code in the setProtected() function were also noted.

See the complete audit report for a detailed account of all findings and recommendations.

Security Score and Improvements

In addition to the specific security concerns addressed, the overall quality of Soul Society’s smart contract was found to be exceptionally high – 10 out of 10. The audit revealed:

Documentation Quality: The documentation quality scored a perfect 10 out of 10. It included comprehensive functional requirements such as a clear description of contract purposes, detailed project features, business logic, and use cases. The technical description was complete, with all necessary environment configurations provided.
Code Quality: Similarly, the code quality was also rated 10 out of 10. The development environment was well-configured, and best practices in smart contract development were duly followed.
Test Coverage: Although the code coverage of the project was 0%, given the project’s size with less than 250 Lines of Code, this level of test coverage was deemed acceptable and did not affect the final score.
Security Score: Post-audit, the code contained no issues, earning a security score of 10 out of 10. This exemplary score underscores the robustness and reliability of the smart contracts used by Soul Society.

Conclusions

The audit of Soul Society’s smart contracts was a critical step in enhancing the security and efficiency of their Growth-Type SBTs protocol. The identification and subsequent resolution of these issues not only fortified the protocol against potential vulnerabilities but also aligned its practices with industry standards. Implementing recommended changes has significantly improved Soul Society’s smart contracts, ensuring a more secure and user-centric experience.

This case study exemplifies the necessity of rigorous smart contract audits in the dangerous Web3, especially for innovative concepts. By proactively addressing these security concerns, Soul Society has set a precedent in the Web3 community for operational excellence and commitment to user safety.