DESCRIPTION
This audit primarily focuses on the Stratos Chain and Stratos Decentralized Storage (SDS), both of which are components of Stratos, a decentralized data architecture. Stratos provides scalable, reliable, and self-balanced storage, database, and computation networks, creating a robust foundation for data processing. The architecture of Stratos is divided into three distinct components:
Stratos Chain. This custom blockchain is based on the Cosmos-SDK and is responsible for defining various messages and implementing corresponding handlers to manage nodes and reward distribution within the network. By forking a custom Ethermint implementation, the Stratos Chain achieves full EVM compatibility.
Meta Nodes (SP Nodes). Within the Stratos Network, there are two node types: Meta Nodes and Resource Nodes. Meta Nodes are management nodes that connect storage nodes to the Stratos Chain and are responsible for volume reporting for reward distribution.
Storage Nodes (SDS Nodes). These nodes provide the actual storage for the entire network and form a P2P network to ensure high availability.
In this audit, two of the three components, the Stratos Chain and Stratos Decentralized Storage (SDS), are covered. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains several high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Stratos team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 18 potential issues in the smart contract. We also have 0 recommendations and 0 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Insufficient access controls for privileged messages | Software Security | Fixed |
| 2 | High | Conflict logic in the volumeReportRequestHandlerFn function |
Software Security | Fixed |
| 3 | Medium | Unchecked epoch field in the volume report | Software Security | Fixed |
| 4 | Low | Inconsistent token denoms | Software Security | Fixed |
| 5 | High | Incorrect selfdestruct logic in the EVM module |
Software Security | Fixed |
| 6 | High | Complex and unstable logic in the EndBlock of the pot module |
Software Security | Fixed |
| 7 | Medium | Deletion in iteration | Software Security | Fixed |
| 8 | Medium | Ignored error in reward distribution | Software Security | Fixed |
| 9 | High | Potential partial state write if EndBlocker panics |
Software Security | Fixed |
| 10 | High | Potential concurrent-unsafe usage of a global variable | Software Security | Fixed |
| 11 | High | Potential loss of unbonding stake due to address overwriting | Software Security | Fixed |
| 12 | High | Potential locking of staked tokens if the creation vote fails | Software Security | Fixed |
| 13 | Low | Unremoved vote pool when the meta node is unbonded | Software Security | Fixed |
| 14 | High | Unverified message source | DeFi Security | Fixed |
| 15 | High | Unverified response messages | DeFi Security | Fixed |
| 16 | High | ReqUploadFileSlice allows arbitrary file writing |
DeFi Security | Fixed |
| 17 | Medium | Potential DoS risk due to the absence of timeouts in message receiving and sending processes | DeFi Security | Fixed |
| 18 | High | Ignored error in authentication process | DeFi Security | Fixed |
More details are provided in the audit report.