Moonstream DAO
Moonstream contracted Hacken to audit our Garden of Forking Paths smart contract prior to the first mainnet deployment of Garden of Forking Paths for the Shadowcorns: Throwing Shade minigame in the Crypto Unicorns community.
Audit report
The full audit report is available here.
Moonstream response – November 22, 2022
Hacken’s audit covered:
- The GOFPFacet, which implements the Garden of Forking Paths functionality.
- Terminus protocol and related functionality from https://github.com/bugout-dev/dao.
This document identifies the technical issues discovered by Hacken, along with how we plan to address them.
Hacken auditors also discovered a non-critical vulnerability in our TerminusController contract which is still under development. We are thankful to them for this.
We chose not to address any of the issues that Hacken raised about the style of our code. How we write code is our business, and we did not contract Hacken to pass judgment on our coding style.
We also chose not to address any of the issues that Hacken raised about Terminus pool controller privileges for minting and burning tokens. Those privileges are what make Terminus so well suited to access control and gaming use cases. Once again, we did not contract Hacken to pass judgment on our product use cases.
Hacken chose to give us a security score of 0/10 without explaining precisely why they assigned our contracts that score, and have not been forthcoming with any code that we can use to reproduce the issues that they found. Presumably, Hacken auditors did write code to test our contracts, and it is disappointing that they do not share this code with us because it is almost impossible to remediate issues like the following about our test coverage without their code or further input:
Test coverage
Test coverage of the project.
- Deployment and basic user interactions are covered with tests.
- Negative cases coverage is missed.
- Interactions by several users are not tested thoroughly.”
It is some comfort that Hacken did not find any critical vulnerabilities in our contracts. Even the vulnerabilities they classified as “high” risk have been remediated in our most recent changes (linked here).
At this point, we have tested our contracts exhaustively on testnets, and feel confident to deploy them on mainnet.
Update: November 24, 2022
Some members of the Crypto Unicorns community have noticed the 0/10 score on the Hacken audit and are questioning the safety of our contracts. Particularly of the Garden of Forking Paths contract which will host the Shadowcorns: Throwing Shade game.
We cannot know why Hacken assigned out contracts that score. Presumably Hacken knows why, but they have not been forthcoming with their process or methodology in assigning scores.
We have brought up the issue of the score with Hacken. They said that they would give us a response today, but today they asked for an extension. As soon as we have an update from them, we will either summarize it or provide a link to it on this document.
We can say this. Hacken did not find any critical vulnerabilities on our contracts. They discovered no vulnerabilities in the logic of the Garden of Forking Paths contract.
They did suggest that we fire an on-chain event when a game master sets the rewards for the stages in a Garden of Forking Paths session, a change that we made this week: https://github.com/bugout-dev/engine/pull/209
They did discover a small vulnerability in our Terminus contract, on the mintBatch function. Anyone with the level of access on a Terminus pool to exploit this vulnerability could also achieve the same effect through perfectly legitimate means. Therefore, we disagree with their classification of this as a high risk vulnerability. At any rate, we have already implemented a fix for this: https://github.com/bugout-dev/dao/pull/65
We published this report as soon as it was reasonable to do so in the interests of full transparency with our users and our customers. If you are going to be playing our games with your tokens, you have the right to know about such developments.
Given that Hacken did not find any vulnerabilities in Garden of Forking Paths, we are comfortable proceeding with the launch of Shadowcorns: Throwing Shade as planned.