StackerDAO dao-traits-v4 — Security Audit

SP2ZNGJ85ENDY6QRHQ5P2D4FXKGZWCKTB2T0Z55KS.dao-traits-v4
Audited: 2026-02-25 · Clarity version: pre-Clarity 4 · Confidence: High

Overview

dao-traits-v4 is a trait-definition-only contract from StackerDAO Labs. It defines 10 traits for a modular DAO framework: SIP-010 fungible tokens, proposals, governance tokens, extensions, NFTs, liquid fungible tokens, CDK/EDK energy-tap interfaces, an extended FT trait with mint/burn, and a share-fee-to trait.

This contract contains zero executable code — no functions, no state, no assets. It is purely a collection of define-trait declarations that other contracts implement.

Source: On-chain (Hiro Explorer) · Hiro API

Architecture: The contract serves as a shared interface registry for StackerDAO's modular DAO system. Contracts implementing these traits can be composed via contract-call? with trait parameters, enabling a pluggable DAO architecture where proposals, extensions, governance tokens, and fee-sharing components are interchangeable.

Priority Score

MetricScoreWeightWeighted
Financial risk030
Deployment likelihood326
Code complexity020
User exposure21.53
Novelty11.51.5
Raw Score1.05
Clarity version penalty (pre-Clarity 4)-0.50
Final Score0.55 ✗

Note: This contract scores below the 1.8 audit threshold. It is included as a reference audit for the StackerDAO trait ecosystem. Trait-only contracts have no attack surface of their own — findings are purely informational design observations.

Findings Summary

0
Critical
0
High
0
Medium
0
Low
4
Informational

Informational Findings

I-01 — governance-token-trait uses non-standard dmg- prefixed function names

Location: governance-token-trait

Description: The governance token trait defines functions with dmg- prefixes (e.g., dmg-get-balance, dmg-transfer, dmg-lock). "DMG" likely refers to an internal token name. This namespace prefix couples the trait to a specific implementation's naming convention rather than being generic.

(define-trait governance-token-trait
  (
    (dmg-get-balance (principal) (response uint uint))
    (dmg-has-percentage-balance (principal uint) (response bool uint))
    (dmg-transfer (uint principal principal) (response bool uint))
    (dmg-lock (uint principal) (response bool uint))
    (dmg-unlock (uint principal) (response bool uint))
    (dmg-get-locked (principal) (response uint uint))
    (dmg-mint (uint principal) (response bool uint))
    (dmg-burn (uint principal) (response bool uint))
  )
)

Impact: Any contract implementing this trait must use the dmg- prefix, even if its governance token has a different name. This reduces trait reusability across projects. A contract named "VOTE" still needs dmg-get-balance.

Recommendation: For a future v5, consider generic names: gov-get-balance, gov-transfer, gov-lock, etc. This would make the trait more broadly adoptable.

I-02sip010-ft-trait duplicates the canonical SIP-010 trait

Location: sip010-ft-trait

Description: This contract defines its own sip010-ft-trait that is functionally identical to the canonical SP3FBR2AGK5H9QBDH3EEN6DF8EK8JY7RX8QJ5SVTE.sip-010-trait-ft-standard.sip-010-trait. In Clarity, trait identity is based on the defining contract — so a contract implementing this local copy does not satisfy the canonical SIP-010 trait, and vice versa.

Impact: Contracts implementing StackerDAO's sip010-ft-trait cannot be used interchangeably with contracts expecting the canonical SIP-010 trait reference. This creates a parallel trait ecosystem that fragments interoperability. Implementors must implement both traits or choose one.

Recommendation: Reference the canonical trait via use-trait instead of redefining it. For functions that accept SIP-010 tokens, use the canonical trait principal. This is a common pattern in Stacks — the canonical trait exists specifically to avoid this fragmentation.

I-03nft-trait duplicates the canonical SIP-009 NFT trait

Location: nft-trait

Description: Similar to I-02, the contract defines its own nft-trait that mirrors the canonical SP2PABAF9FTAJYNFZH93XENAJ8FVY99RRM50D2JG9.nft-trait.nft-trait. Same interoperability concern applies.

Impact: NFT contracts implementing this local trait are not recognized by tools and marketplaces that check for the canonical SIP-009 trait.

Recommendation: Use the canonical NFT trait reference.

I-04governance-token-trait transfer lacks memo parameter

Location: governance-token-traitdmg-transfer

Description: The dmg-transfer function signature is (uint principal principal) → (response bool uint), omitting the optional memo buffer present in SIP-010. The standard SIP-010 transfer defined in the same contract includes (optional (buff 34)).

;; SIP-010 in same contract — has memo:
(transfer (uint principal principal (optional (buff 34))) (response bool uint))

;; Governance token trait — no memo:
(dmg-transfer (uint principal principal) (response bool uint))

Impact: Governance token transfers cannot carry memo data for exchange attribution or record-keeping. This is a minor interoperability gap — exchanges and bridges commonly rely on transfer memos.

Recommendation: Add (optional (buff 34)) parameter to dmg-transfer for consistency with SIP-010.

Trait Catalog

For reference, the 10 traits defined in this contract:

TraitFunctionsPurpose
sip010-ft-trait7SIP-010 fungible token (duplicate of canonical)
proposal-trait1DAO proposal — single execute entry point
governance-token-trait8Governance token with lock/unlock/mint/burn
extension-trait1DAO extension callback interface
nft-trait4SIP-009 NFT (duplicate of canonical)
liquid-ft-trait3FT with deflation mechanism
cdk-trait1Charisma dungeon key — energy tap
edk-trait1Extended dungeon key — energy tap with CDK param
ft-plus-trait9SIP-010 + mint/burn (superset)
share-fee-to-trait1Fee distribution receiver

Conclusion

This is a zero-risk trait-only contract. It contains no executable code, holds no assets, and maintains no state. The findings are purely design observations about naming conventions and trait duplication. The most actionable recommendation is to reference canonical SIP-010 and SIP-009 traits rather than redefining them, to improve cross-ecosystem interoperability.