$MRUN Smart Contract Passed Security Audit

3 min readApr 18, 2022


“Overall, this smart contract is well-designed and engineered… We believe this token passes security qualifications to be listed on digital assets exchanges.”
— OnGrid Systems

As most people in crypto are probably aware, a smart contract audit is one of the strong fundamentals of a project that reveals possible vulnerabilities in the smart contract that may expose funds to rugpull or exploitation by 3rd-parties. And we are glad to announce to our community that $MRUN Smart Contract is now Audited.

Metarun’s $MRUN token Smart Contract was recently audited by OnGrid Systems and based on a set of ratings involving impact and overall risk severity assessment, the following summary was reached:

Below are excerpts from the report to highlight the notes provided by the Audit team:

1. MRN-1 Old compiler pragma
Target: MetarunToken.sol:2,
-Category: Configuration, SWC ID:SWC-102

The contract has the following pragma directive:

Currently, the latest version of the official Solidity compiler is v0.8.13, but at the time of contract deployment (February 23, 2022), the actual version was v0.8.11. As usual, it is recommended to stay on top of the new versions, which could avoid problems. But in the given case, later releases v0.8.12 and v0.8.18 introduced just minor bugfixes and improvements and don’t seem to significantly affect the code.
Recommendation: since the contract is already deployed, no action required

2. MRN-2 Outdated library dependency
Target: yarn.lock:664
-Category: Configuration

Currently deployed contracts use OpenZeppelin library of version v4.4.2 (actual a the contract deployment date)

Currently, the latest stable version of the OpenZeppelin is v4.5.0. If the contract had not been deployed, we would recommend updating the dependencies and “freezing” them with yarn. But for the reasons stated above in MRN-1, you don’t need to touch this dependency.
Recommendation: Since the contract is already deployed, no action required.

3. MRN-3 Excessive authority of token deployer
Target: MetarunToken.sol:15
-Category: Configuration

The contract implements two roles — MINTER_ROLE and DEFAULT_ADMIN_ROLE that are assigned simultaneously by the constructor and both powers still present on the deployer address. Within the meaning of separation of powers, unnecessary capabilities of MINTER_ROLE should be revoked once supply was minted.
Recommendation: If the manual issuance of new tokens is not planned anymore, the MINTER_ROLE can be safely revoked.

“MINTER_ROLE is required for the economy system designed in Metarun. Once the “Conditional minting” system is finalized, Minter role will be removed from the deployer wallet and assigned to “Conditional minting contract” or “Reward contract”.

Regardless of the presence/absence of MINTER_ROLE on the deployer’s address, the token is still capped at 1,000,000,000 units.”

Metarun developers have taken note of these observations and are following up on the recommendations internally.

Detailed analysis of the audit findings are provided in the Audit Report here:
👉https://metarun.game/audit_report.pdf 👈


Note: Metarun team members will never contact you via a DM on any platform. If you receive a DM claiming to be from our team, it is a scam!

Join the Metarun Community (previously GoFungibles) and become a Metarunner.

Discord | Twitter | Telegram | Telegram Ann




World's first P2E multiplayer mobile runner game. Built on UE5, empowered by the BNB chain. Website: https://metarun.game/ | Discord: https://discord.gg/Met

Recommended from Medium


See more recommendations