--- title: NewGolemNetworkToken Type: Audit Report Client: Golem Team: Eng Team Date: April 21, 2020 Version: 1.0.0 --- <br/> <br/> <br/> <br/> <br/> ###### tags: `Tag(audit)` # Executive Summary We have audited the intended migration process of the Golem Network Token on the smart contract level. No major nor minor vulnerabilities have been found during this Audit. <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> # Disclaimer This report is subject to the terms and conditions (including without limitation, description of services, confidentiality, disclaimer and limitation of liability) set forth in the Verification Services Agreement between CertiK and Golem (the “Company”), or the scope of services/verification, and terms and conditions provided to the Company in connection with the verification (collectively, the “Agreement”). This report provided in connection with the Services set forth in the Agreement shall be used by the Company only to the extent permitted under the terms and conditions set forth in the Agreement. This report may not be transmitted, disclosed, referred to or relied upon by any person for any purposes without CertiK’s prior written consent. As there have been numerous interactions with the Company throughout the entire duration of this audit, and as the codebase target for the audit has evolved over said duration, not all of CertiK’s opinions or comments have necessarily made it into this final culmination. <br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/> # Scope of work The files that were audited, were: - `BatchingSidecar.sol`, - `GNTMigrationAgent.sol`, and - `NewGolemNetworkToken.sol`, as well as the `migrate` function in `GolemNetworkToken` in `Token.sol` (currently deployed). The commit hash that was audited, and the commit hash that all line references refer to, is: - `922728b63db7664a4a61051ae28fee506b95992f` # Review Notes Items are labeled [CRITICAL], [MAJOR], [MINOR], [INFO], [DISCUSSION] (in decreasing significance). # Review Findings 1. [DISCUSSION] The batching sidecar functionality could be implemented directly in the new GNT. 2. [DISCUSSION] The owner of GNTMigrationAgent has power over the migration process. They may for example migrate their own tokens, then set the target to one that would revert on a `.mint` CALL, meaning nobody else will be able to migrate. We don't see any easy fix to this, implying that this is necessary to facilitate the migration at least in the short-term. It should also be noted that once a sufficiently long period has passed (i.e. every old token holder has been given the chance to migrate), then either changing the target and renouncing ownership (in GNTMigrationAgent), or renouncing mintership (in NewGolemNetworkToken) will renounce these elevated powers. # Appendix: NewGolemNetworkToken <br/><br/>  <br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/> # Appendix: GNTMigrationAgent <br/><br/>  <br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/> # Appendix: Batching Sidecar <br/><br/>