Community Security Audit: Subscription Smart Contract

[jdrains110-beep]

Summary

Adds a community security audit (SECURITY-AUDIT.md) for the Subscription Smart Contract (contracts/subscription/src/lib.rs).

This audit was conducted by the Triumph Synergy Digital Financial Ecosystem project as part of our integration with the Pi Network SDK and smart contract infrastructure.

Findings Overview

ID	Title	Severity
S-01	No deactivate_service method — merchants cannot sunset a service	Medium
S-02	Unbounded Vec growth in MerchantServices, SubscriberSubs, ServiceSubs	Medium
S-03	next_service_id / next_sub_id increment without checked_add	Low
S-04	do_approve rounds expiration down — may shorten approval by up to ~60 min	Low
S-05	process() does not bump SubServicePair TTL — potential dedup bypass	Low
S-06	Single admin key for upgrade — no rotation or time-lock	Informational
S-07	is_subscription_active does not bump persistent storage TTLs	Informational

Positive Findings (10)

The audit also documents 10 positive security patterns including proper require_auth(), checked_add/checked_mul for overflow protection, failure isolation in batch processing, no-drift billing, trial abuse prevention, and dynamic TTL scaling.

Approach

• Full source code review of lib.rs (~600 lines)
• No existing files modified
• Findings follow standard severity classification (Medium / Low / Informational)
• Recommendations are concrete and actionable

[Copilot]

Pull request overview

Adds a community-contributed security audit document for the Soroban subscription contract to capture identified risks, impacts, and recommended mitigations for integrators and maintainers.

Changes:

• Introduces SECURITY-AUDIT.md with findings (S-01..S-07) and recommended remediations for contracts/subscription/src/lib.rs.
• Documents positive security patterns observed in the current contract design.
• Provides an at-a-glance summary table of findings and severities.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.