Subscription Token Protocol V2
Summary
Subscription Token Protocol allows for creators or businesses to support subscribers to their platform through the minting of NFTs that represent the subscription. To create the Subscription Token Protocol NFT Contract, the creator or business will invoke `deploySubscription()` on the Factory, with all the configurations specified. Subscribers will then be able to purchase the subscription for a period of time. Subscription offerings can include several tiers where subscribers of different tiers are rewarded according to a Reward Curve defined for that tier, which supports offering bonus rewards for a given tier. Subscribers benefit by receiving rewards that come from a share of the income of new subscribers; this incentivizes early and consistent subscription to maximize rewards. When a subscription is purchased, a user is allocated reward shares which represent their proportion of rewards allocated to the pool to claim. Users whose subscription time expires will have to have their subscription manually deactivated. After a grace period passes following a completed subscription, anyone can slash this user and burn their shares. In effect, this increases the rewards eligible to be claimed by all other active subscribers holding shares, as the shares now correspond to a larger proportion of allocated rewards. During the audit we identified one high severity issue, STP-1, related to inaccurate accounting of rewards following a slash as the `totalRewardEgress` was not considered when updating the `pointsPerShare`. The medium severity issue, STP-2, was brought to our attention by the Subscription Token Protocol during the audit. The ability to mint subscriptions for other addresses creates the opportunity for users to intentionally block other users out of certain tiers. STP-3 describes how the minimum multiplier for a Reward Curve is not enforced. Although no direct impact was identified, we describe race conditions inherent to the protocol in STP-14, as well as the potential for impersonation of factory deployed contracts in STP-16. As these issues are addressed, we encourage the team to update the test suite to test for correctness of the fixes. The Subscription Token team was very helpful throughout the audit by providing clear documentation and answering questions as needed. The Test Suite Results section below describes more in depth how the test suite can be improved during the fix review. **Fix Review Update** The Subscription Token Team has either fixed all the issues or acknowledged them with sufficient reasoning. The team continued to be collaborative throughout the fix review. The Test Suite has been improved per our recommendation.
Issues (16)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 4 | - | - | - | 4 |
Fixed | 10 | 1 | 1 | - | 12 |
| Total | 14 | 1 | 1 | 0 | 16 |