Auditing Sweat Wallet’s Growth Jar Contract: A Case Study

Sweat Economy is developing an innovative blend of fitness and blockchain technology with its Web3 ecosystem. This unique ecosystem is centered around Sweat Wallet, a non-custodial dApp that rewards users with digital currency – Sweat Tokens – for their physical activity. These tokens can be put into the Growth Jar contract to earn more $SWEAT, effectively turning steps into digital money.

Hacken audited Sweat Wallet’s Growth Jar contract and gave it a final score of 8 out of 10. In this case study, we highlight our team’s approach, key findings, and the overall impact of our analysis on ensuring a secure and dynamic platform.

Sweat Economy Overview

Sweat Economy is a partner of SweatCo, the consumer health tech company behind Sweatcoin, the largest health and fitness app in the world in 2022. Today, Sweatcoin acts as a step validator for Sweat Wallet, and users who have both apps can earn $SWEAT simply by moving around. This innovative approach combines physical activity with digital asset accumulation. The Sweat Growth Jar contract is at the heart of this ecosystem, enabling users to essentially put their $SWEAT into staking contracts to earn even more $SWEAT, thus adding an additional incentive to staying fit and active.

Smart Contract Audit Goals – Secure Growth Jars

The Sweat Wallet app, boasting an impressive 4.8-star rating from over 7.1K user reviews on the App Store, has earned significant trust and acclaim within its community. In light of this widespread adoption and the critical role of blockchain integration in the app’s functionality, the Sweat Foundation recognized the importance of ensuring the security and reliability of its Growth Jar contract for Sweat Wallet. To achieve this, they requested the services of Hacken, given our leading role in smart contract auditing within the Web3 landscape.

Sweat Wallet has a feature called Growth Jars. It locks users’ $SWEAT and lets them earn better rewards and enjoy lower transaction fees. The goal of this audit was to ensure the security and reliability of the Growth Jar contract.

Audit Findings and Insights

For this audit, a team led by Hacken’s prominent talent Noah Jelich scrutinized the sweat_jar contract, uncovering several issues across varying severity levels, which have now been successfully addressed and solved. Two notable findings were as follows:

• Double Public Key Signing Function Oracle Attack (Critical Issue)
  This was a critical-impact, high-likelihood issue involving versions of ed25519-dalek prior to v2.0, which posed risks of private key extraction attacks due to unsafe API practices. It was successfully addressed by updating to a more secure version.

• Inadequate Access Control in Migrate Jars Function (High Severity Issue)
  This issue allowed any attacker to call the migrate_jars() function without proper checks, potentially leading to unauthorized jar creation. This was solved by restricting access to contract managers and implementing a signature verification mechanism.

See the full audit report with all issues and recommendations.

Security Score and Improvements

Post-audit, the sweat_jar contract achieved a security score of 8/10. All critical and high-impact issues were fixed. This score is a testament to the effectiveness of the remediation measures and the resilience of the contract.

Conclusion

This case study delved into the audit of the key Sweat Wallet’s Growth Jar contract, part of the broader Sweat Economy system, which rewards users with $SWEAT for physical activity, encouraging health and fitness through blockchain incentives.

The comprehensive audit by Hacken not only enhanced its security but also contributed significantly to the reliability of Sweat Economy. The proactive response of the Sweat Wallet team in addressing the issues underscores their commitment to providing a secure and innovative platform for combining fitness with digital asset accumulation.