###### tags: `Final Report` GNO Token v2.0.0 Audit === > Copyright © 2022 by Verilog Solutions. All rights reserved. > April 22, 2022 > by **Verilog Solutions** <!-- <span style="position:fixed; top:200px; right:400px; opacity:0.5; font-size: 20px; z-index:99;">watermark</span> --> ![GNO-Cover](https://hackmd.io/_uploads/Sy4-wilrq.png) This report presents Verilog Solutions's smart contract auditing work on the GNO token v2.0.0 contracts. --- ## Table of Content [TOC] --- ## Project Summary GNO token is used in various GNO ecosystem products. GNO ecosystem includes various applications and infrastructure, such as Gnosis Auction, Gnosis Safe, and Gnosis Chain. Gnosis Beacon Chain is currently live and secured with GNO token, and the Gnosis Beacon Chain will merge with Gnosis Chain later. --- ## Service Scope Our review focused on the [**v2.0.0** branch](https://github.com/gnosis/gno-token/tree/v2.0.0), specifically, commit hash [**1cc6023ecd6494dd4e37591c4864bb487f1b0373**](https://github.com/gnosis/gno-token/tree/1cc6023ecd6494dd4e37591c4864bb487f1b0373). Below is the summary of the GNO token v2.0.0 audit: 1. **Audit Service** The Verilog Solutions team conducted a thorough study of the GNO token v2.0.0 code. The list of findings, along with the severity and solution, is available under the section [**Findings & Improvement Suggestions**](#Findings-amp-Improvement-Suggestions). --- ## Architecture The smart contracts of GNO v2.0.0 are implementations of [ERC20 standards](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/). **Cited from Ethereum Foundation** [EIP-20](https://eips.ethereum.org/EIPS/eip-20): The token should have the following **methods**: ```solidity // view functions function name() public view returns (string) function symbol() public view returns (string) function decimals() public view returns (uint8) function totalSupply() public view returns (uint256) function balanceOf(address) public view returns (uint256) // interaction functions function transfer(address, uint256) public returns (bool) function transferFrom(address, address, uint256) public returns (bool) function approve(address, uint256) public returns (bool) function allowance(address, address) public view returns (uint256) ``` The token should have the following **events**: ```solidity event Transfer(address indexed _from, address indexed _to, uint256 _value) event Approval(address indexed _owner, address indexed _spender, uint256 _value) ``` The GNO token v2.0.0 ERC-20 implementation provides the following functionalities: - transfer tokens from one account to another - get the current token balance of an account - get the total supply of the token available on the network - approve whether and amount of token from an account can be spent by a third-party account --- ## Privileged Roles The GNO token v2.0.0 has no significant privileged roles. Only when at deployment, the contract deployer will receive the pre-defined total supply of GNO token, which is a standard operation in most token contract deployments: ```solidity= // from TokenGNO.sol constructor(uint amount) public { totalTokens = amount; balances[msg.sender] = amount; } ``` --- ## Findings & Suggestions for Improvement <html></html> <style> .info { background-color:mediumseagreen; font-size: 12px; color: white; border-radius:4px; padding: 1px 4px; font-weight: 500; display: inline-block; margin: 2px; letter-spacing: 0.3px} </style><style> .minor { background-color: #698999; font-size: 12px; color: white; border-radius:4px; padding: 1px 4px; font-weight: 500; display: inline-block; margin: 2px; letter-spacing: 0.3px} </style><style> .medium { background-color: #FFCA0F; color: #121212; font-size: 12px; border-radius:4px; padding: 1px 4px; font-weight: 500; display: inline-block; margin: 2px; letter-spacing: 0.3px} </style><style> .major{ background-color: #FF6B4A; color: white; font-size: 12px; border-radius:4px; padding: 1px 4px; font-weight: 500; display: inline-block; margin: 2px; letter-spacing: 0.3px} </style><style> .critical{ background-color: #FF0000; color: white; font-size: 12px; border-radius:4px; padding: 1px 4px; font-weight: 500; display: inline-block; margin: 2px; letter-spacing: 0.3px} </style> <span class='info'>Informational</span><span class='minor'>Minor</span><span class='medium'>Medium</span><span class='major'>Major</span><span class='critical'>Critical</span> | | Total | Acknowledged | Resolved | | ------------- | ----- | ------------ | -------- | | Critical | 0 | 0 | 0 | | Major | 0 | 0 | 0 | | Medium | 0 | 0 | 0 | | Minor | 1 | 1 | 0 | | Informational | 1 | 1 | 0 | ### Critical 1. none ;) ### Major 1. none ;) ### Medium 1. none ;) ### Minor 1. Unused import <span class='minor'>Minor</span> **Related Contract**: `@gnosis.pm/util-contracts/contracts/GnosisStandardToken.sol`: [L4](https://github.com/gnosis/util-contracts/blob/1373734c128ebaaf67af93cb531a63439895e15a/contracts/GnosisStandardToken.sol#L4) `GnoDevDependencies.sol`: [L12](https://github.com/gnosis/gno-token/blob/156f60f48cbfb27283eb27e6851ecb09749afa99/contracts/GnoDevDependencies.sol#L12) **Description**: The `Proxy.sol` imported into the `GnosisStandardToken.sol` contract is unused. The `EtherToken.sol` imported into the `GnoDevDependencies.sol` contract is unused. **Recommendation**: Remove these unused imports. **Result**: Acknowledged by the Gnosis team. ### Informational 1. Variable visibility can be specified as `internal` <span class='info'>Informational</span> **Related Contract**: `@gnosis.pm/util-contracts/contracts/GnosisStandardToken.sol`: [L13-L15](https://github.com/gnosis/util-contracts/blob/1373734c128ebaaf67af93cb531a63439895e15a/contracts/GnosisStandardToken.sol#L13-L15) **Description**: contract `TokenGNO` inherits contract `GnosisStandardToken`. Variables `balances`, `allowances` and `totalTokens` are accessed and modified in the derived contracts. Thus, their visibilities can be specifically marked as `internal` for better readability. **Recommendation**: Mark `balances`, `allowances` and `totalTokens` inside file `GnosisStandardToken.sol` as internal variables. **Result**: Acknowledged by the Gnosis team. --- ## Disclaimer Verilog Solutions receives compensation from one or more clients for performing the smart contract and auditing analysis contained in these reports. The report created is solely for Clients and published with their consent. As such, the scope of our audit is limited to a review of code, and only the code we note as being within the scope of our audit detailed in this report. It is important to note that the Solidity code itself presents unique and unquantifiable risks since the Solidity language itself remains under current development and is subject to unknown risks and flaws. Our sole goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies. Thus, Solutions in no way claims any guarantee of security or functionality of the technology we agree to analyze. In addition, Verilog Solutions reports do not provide any indication of the technologies proprietors, business, business model, or legal compliance. As such, reports do not provide investment advice and should not be used to make decisions about investment or involvement with any particular project. Verilog Solutions has the right to distribute the Report through other means, including via Verilog Solutions publications and other distributions. Verilog Solutions makes the reports available to parties other than the Clients (i.e., “third parties”) – on its website in hopes that it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.