Staking Program Audit

SolShield conducted a full security audit and vulnerability analysis on the Genopets Staking Program. The audit process took approximately ~2 weeks to complete starting from April 27th and ending on May 13th. This report briefly covers the program’s workflow along with a short description of the vulnerabilities discovered by the SolShield team. All issues identified were resolved swiftly following the audit report.

An excerpt from the methodology section of the report providing and overview of the audit process: After the initial contact from the Genopets team, we held an online session to go through the logic and the code structure. The complexity of the implementation was assessed to be unnecessarily high, therefore and thanks to the effort of the core developers from Genopets, a code revamp was done which took ~2 weeks to complete. After that, we started to do extensive code analysis. The staking program makes extensive and spot-on use of PDAs to manage program associated data. The SolShield team also took extra care to confirm the program is resilient against classic Solana program attacks such as account re-initialization and substitution, missing authority and signer checks and token account confusions.

Instances of these primitive classes of vulnerabilities were discovered which we will explain later. In the next step, to guarantee the implementation follows the intended program specification, our lead auditor had multiple 1-on-1 sessions with the lead developer of the program, where we inspected the data flow through program logic ensuring correct behavior.

Then, as per SolShield promise, our team deployed the program on devnet and ran intense fuzzy and penetration tests, hitting the program with custom transactions with randomly generated data and different types of accounts to uncover any residual attack vector that might put the program in danger.

Lastly, we reported all the bugs and discoveries to the Genopets team with suggestions on how to resolve and mitigate the issues. The developers were swift in releasing patches to address the vulnerabilities we pointed out. The final code was scanned yet once again as a clean up review to ensure the validity of the fixes and that no new vulnerabilities were introduced in the process.

See the full report attached below:

Last updated