Music Protoc Security Smart Contract Audit

Summary

Quantstamp performed a security review of the smart contracts implementing the Music protocol: token, staking, and DAO contracts based on the code present in the listed repositories. A previous iteration of the code was audited by Quantstamp at branch `old-master`. The given commit hash aims to address the identified issues, as well as introduce related code changes. Due to the extent of these changes, a full re-audit was conducted. The protocol gives users the opportunity to stake `RECORD` tokens in accounts controlled by music artists. This will mint new tokens for artists based on rates set by the protocol owners, time, and amount staked to them. Staking tokens will permit users to vote in public proposals in the `Web3MusicNetworkDAO` contract. As stated by the Music Protocol team, the DAO contract can execute proposals (external calls), but for the moment it only has an advisory purpose. In the future, if the DAO is expected to manage funds or take any special roles in other systems, extensive testing and an external audit should be considered. Regarding testing, all tests passed, showing good branch coverage metrics in the audited files. The Music protocol team shared internal technical documentation explaining every flow and function in detail. We recommend adding **public documentation** about the critical modules of the system, like artist rate changes, with examples of expected returns and possible cases. WEB-23 describes how artists can lose rewards after some rate changes. If the rate is expected to be modified on a usual basis, consider reviewing the logic. All issues and recommendations are discussed in the *Findings* section of this document. We recommend addressing all the issues and adding tests to cover the proposed fixes. **Update**: The Music protocol team has acknowledged or fixed all issues listed in this report, and added tests to cover the proposed fixes. **Note**: After the initial audit, the Music protocol team made naming and branding changes, as well as adjustments to some contract names. For complete context and traceability, please refer to the repository's history.

Project