tags: Final Report

GNO Token v2.0.0 Audit

Copyright © 2022 by Verilog Solutions. All rights reserved.
April 22, 2022
by Verilog Solutions

This report presents Verilog Solutions's smart contract auditing work on the GNO token v2.0.0 contracts.

Table of Content

• GNO Token v2.0.0 Audit
  • Table of Content
  • Project Summary
  • Service Scope
  • Architecture
  • Privileged Roles
  • Findings & Suggestions for Improvement
    • Critical
    • Major
    • Medium
    • Minor
    • Informational
  • Disclaimer

Project Summary

GNO token is used in various GNO ecosystem products. GNO ecosystem includes various applications and infrastructure, such as Gnosis Auction, Gnosis Safe, and Gnosis Chain. Gnosis Beacon Chain is currently live and secured with GNO token, and the Gnosis Beacon Chain will merge with Gnosis Chain later.

Service Scope

Our review focused on the v2.0.0 branch, specifically, commit hash 1cc6023ecd6494dd4e37591c4864bb487f1b0373.

Below is the summary of the GNO token v2.0.0 audit:

1. Audit Service

   The Verilog Solutions team conducted a thorough study of the GNO token v2.0.0 code. The list of findings, along with the severity and solution, is available under the section Findings & Improvement Suggestions.

Architecture

The smart contracts of GNO v2.0.0 are implementations of ERC20 standards.

Cited from Ethereum Foundation EIP-20:
The token should have the following methods:

// view functions
function name() public view returns (string)
function symbol() public view returns (string)
function decimals() public view returns (uint8)
function totalSupply() public view returns (uint256)
function balanceOf(address) public view returns (uint256)

// interaction functions
function transfer(address, uint256) public returns (bool)
function transferFrom(address, address, uint256) public returns (bool)
function approve(address, uint256) public returns (bool)
function allowance(address, address) public view returns (uint256)

The token should have the following events:

event Transfer(address indexed _from, address indexed _to, uint256 _value)
event Approval(address indexed _owner, address indexed _spender, uint256 _value)

The GNO token v2.0.0 ERC-20 implementation provides the following functionalities:

• transfer tokens from one account to another
• get the current token balance of an account
• get the total supply of the token available on the network
• approve whether and amount of token from an account can be spent by a third-party account

Privileged Roles

The GNO token v2.0.0 has no significant privileged roles. Only when at deployment, the contract deployer will receive the pre-defined total supply of GNO token, which is a standard operation in most token contract deployments:

// from TokenGNO.sol
 constructor(uint amount) public {
        totalTokens = amount;
        balances[msg.sender] = amount;
}

Findings & Suggestions for Improvement

InformationalMinorMediumMajorCritical

Critical

1. none ;)

Major

1. none ;)

Medium

1. none ;)

Minor

1. Unused import Minor
   Related Contract:
   @gnosis.pm/util-contracts/contracts/GnosisStandardToken.sol: L4
   GnoDevDependencies.sol: L12
   Description: The Proxy.sol imported into the GnosisStandardToken.sol contract is unused. The EtherToken.sol imported into the GnoDevDependencies.sol contract is unused.
   Recommendation: Remove these unused imports.
   Result: Acknowledged by the Gnosis team.

Informational

1. Variable visibility can be specified as internal Informational
   Related Contract:
   @gnosis.pm/util-contracts/contracts/GnosisStandardToken.sol: L13-L15
   Description: contract TokenGNO inherits contract GnosisStandardToken. Variables balances, allowances and totalTokens are accessed and modified in the derived contracts. Thus, their visibilities can be specifically marked as internal for better readability.
   Recommendation: Mark balances, allowances and totalTokens inside file GnosisStandardToken.sol as internal variables.
   Result: Acknowledged by the Gnosis team.

Disclaimer

Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus,
Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze.

In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.