Loading...
LoadingLoading...
LoadingLoading audit report...
WalletGuard.ai, powered by Gestalt Labs
Findings selected for deep verification. Where possible we generated a Solidity proof-of-concept and executed it against a forked mainnet.
contracts/ERC20MetaTxUpgradeable.solFunction: nonceLines: 103-105contracts/Token.solLines: 228-229contracts/ERC20ControlerMinterUpgradeable.solFunction: __ERC20ControlerMinter_init_unchainedLines: 48-55contracts/ERC20ControlerMinterUpgradeable.solFunction: mintLines: 141-143contracts/FeesHandlerUpgradeable.solFunction: setGaslessBasefeeLines: 44-47contracts/ERC20ControlerMinterUpgradeable.solFunction: __ERC20ControlerMinter_initLines: 30-34The analyzed contract is a UUPS upgradeable ERC-20 token (EURF) with meta-transaction support, fee-on-transfer mechanics, role-based access control, and a gasless transaction forwarder. The analysis identified 4 critical, 10 high, 9 medium, 6 low, and 3 informational findings across 41 total deduplicated findings from 9 specialist agents. The most dangerous pattern is the complete absence of access control on core administrative functions, including setOwner, setMasterMinter, addMinter, addController, and removeController, which collectively allow any external actor to seize full protocol control and mint unlimited tokens. The contract in its current state is unsafe for production deployment and represents a complete protocol compromise risk.
Anyone on the internet can call these functions without any permission. An attacker can assign themselves the minter role and create unlimited new tokens, instantly destroying the value of every legitimate holder's balance. No special tools or technical expertise beyond a basic Ethereum transaction are required.
The function that transfers ownership of the entire contract has no security check. Any attacker can call it to make themselves the owner, then authorize a malicious upgrade that could drain all funds, brick the contract, or grant themselves unlimited minting rights. This is equivalent to leaving the master key to a bank vault on the front doorstep.
Even when the legitimate owner tries to transfer ownership to a new address, the transfer logic can accidentally revoke the new owner immediately or leave the old owner still in control. In a worst case, this can create a state where no valid owner exists, permanently locking the upgrade mechanism and critical admin operations.
1 centralization point identified
An ADMIN can use forceTransfer to bypass the fee mechanism. This is an admin capability that may or may not be intentional design, but represents a property of the protocol buyers should know about.
forceTransfer()An attacker first calls setOwner(attacker) to gain DEFAULT_ADMIN_ROLE with no access check. With DEFAULT_ADMIN_ROLE, the attacker calls setAdministrator(attacker) to gain ADMIN role, then calls setMasterMinter(attacker) and addMinter(attacker, type(uint256).max) to gain unlimited minting capability. The attacker then mints arbitrary tokens to any address, destroys token value, and can authorize a malicious UUPS upgrade via _authorizeUpgrade to permanently compromise the proxy.
An attacker calls addController(attacker) with no access check to grant themselves the CONTROLLER role. They then call safetySwitch() to halt all minting and burning operations. Because _operatingController is set to the attacker's address, only the DEFAULT_ADMIN_ROLE or the attacker themselves can re-enable operations. If the attacker was also able to seize DEFAULT_ADMIN_ROLE via the unguarded setOwner, they can permanently lock the protocol. Even without owning DEFAULT_ADMIN_ROLE, the attacker can repeatedly disable and enable operations to grief the protocol.
In transferWithAuthorization, transferSanity is called first which invokes _payTxFee, deducting fees from the holder before signature verification occurs in the super call. An attacker can call transferWithAuthorization with any valid holder address and an invalid or replayed signature. The fee is deducted from the holder's balance, then the super call reverts due to invalid signature, but the fee payment via _update has already executed. This allows an attacker to repeatedly drain fees from any holder address.
The Forwarder accepts a caller-supplied domainSeparator without validating it against the token's actual EIP-712 domain. A malicious relayer can supply a domainSeparator from a different chain or deployment where the user previously signed a valid request. Because the nonce state may differ across deployments, a signature consumed on one chain may still be valid on another. Combined with the shared nonce namespace between permit and transferWithAuthorization, an attacker can front-run a pending transferWithAuthorization by submitting a permit with the same nonce to invalidate it, or replay a cross-domain signature via the unvalidated forwarder to execute an unauthorized transfer.
| Agent | Status | Findings | Severity | Confidence | Duration | Coverage |
|---|---|---|---|---|---|---|
| reentrancy | success | 11 | 2C1L | 73% | 1.8m | Cross-function reentrancy in transfer, transferFrom, transferWithAuthorization, ERC-20 transfer hooks and callback patterns, Access control on all role-management functions, Signature verification in permit and transferWithAuthorization, Forwarder EIP-712 domain separator validation, Fee deduction logic and double-fee risks, UUPS upgrade authorization, Meta-transaction trusted forwarder security, Minting and burning access control, Blacklist and pause mechanism integrity, Integer overflow/underflow in fee calculations, CEI pattern compliance in all state-modifying functions |
| access control | success | 13 | 2C3H1M1L | 83% | 1.8m | Access control on all external/public functions across all files, Role management and privilege escalation paths, UUPS upgrade authorization and constructor safety, EIP-712 signature verification and replay protection in permit/transferWithAuthorization, Trusted forwarder ERC2771 meta-transaction handling, Fee calculation and deduction logic ordering, Initializer protection and initialization ordering, Ownership transfer patterns, Blacklist and pause enforcement in transfer flows, safetySwitch access control and denial-of-service vectors, Forwarder contract signature verification and domain separator handling, Cross-function interactions between fee payment and transfer execution |
| economic | success | 14 | 1H3M2L | 75% | 2.1m | Access control on all external/public functions in ERC20ControlerMinterUpgradeable (addMinter, removeMinter, setMasterMinter, addController, removeController), UUPS upgrade authorization in Token.sol (_authorizeUpgrade), ERC2771 trusted forwarder _msgSender() override and potential spoofing, Meta-transaction signature verification in ERC20MetaTxUpgradeable (permit, transferWithAuthorization), Forwarder domain separator validation and replay protection, Fee mechanism and fee bypass paths (forceTransfer, payGaslessBasefee), Pause and blacklist enforcement in adminSanity, Role initialization with address(0) for ADMIN and MASTER_MINTER, setOwner enumerable set ordering issue, safetySwitch griefing via unguarded addController, Flash loan attack surface (no token balance-based pricing, not applicable), Oracle manipulation (no price feeds present, not applicable), Governance token flash loan attacks (not applicable — no governance token voting), Reentrancy in _update, _mint, _burn paths, Integer overflow/underflow (Solidity 0.8.20 with built-in checks), Fee-on-transfer token accounting (not applicable — this IS the token), MEV/sandwich exposure on transfers |
| logic validation | success | 12 | 2H1M1L | 79% | 2.0m | Input validation on all public/external functions, Role-based access control on admin functions (setAdministrator, setOwner, setMasterMinter, addMinter, addController), Integer arithmetic in fee calculations, State machine integrity for safetySwitch and operating state, EIP-712 domain separator construction and signature verification in permit/transferWithAuthorization, Forwarder signature verification and replay protection, Fee deduction ordering relative to transfer execution, transferWithAuthorization ordering of sanity checks vs signature verification, UUPS upgrade authorization, Meta-transaction trusted forwarder pattern, AccessControlEnumerable index-0 ordering issues in role transfers, Dead code checks (uint < 0), ETH handling in Forwarder, Blacklist bypass scenarios for admin |
| code quality | success | 16 | 1C1M | 83% | 2.2m | Access control on all external/public functions, Role initialization and management (ADMIN, MASTER_MINTER, MINTER_ROLE, CONTROLLER, OWNER), ERC-20 transfer, transferFrom, approve, permit compliance, ERC-2612 permit standard compliance, Meta-transaction trusted forwarder security, Fee-on-transfer logic and atomicity, UUPS upgrade authorization, Safety switch mechanism, Blacklist enforcement in transfer paths, Forwarder signature verification, Integer overflow/underflow (Solidity 0.8.20), Reentrancy in transfer flows, Storage collision in upgradeable contracts, Dead code analysis, Gas optimization opportunities |
| compiler bugs | success | 8 | 1H1L | 85% | 1.4m | Access control on all external/public functions across all contracts, Role management logic in ERC20AdminUpgradeable and ERC20ControlerMinterUpgradeable, Signature verification in ERC20MetaTxUpgradeable (permit, transferWithAuthorization), Forwarder signature verification and domainSeparator handling, ERC2771 trusted forwarder implementation and _msgSender override, Fee calculation and payment logic in FeesHandlerUpgradeable and Token.sol, UUPS upgrade authorization, Reentrancy in transfer/mint/burn flows, Integer overflow/underflow (Solidity 0.8.20 has built-in checks), Blacklist bypass vectors, safetySwitch logic and controller role permissions, setOwner ordering and race conditions, Compiler bug patterns (pragma ^0.8.20 - outside all affected ranges), Storage collision in UUPS proxy pattern, Initializer security and constructor usage |
| assembly safety | success | 15 | 4H1M | 85% | 2.1m | Full codepoint scan for non-ASCII characters (RTLO, zero-width, homoglyphs) in all identifiers, strings, and comments, Assembly blocks: _msgSender() ERC2771 assembly in ERC20MetaTxUpgradeable — checked for calldataload offset correctness and shr argument order, Access control on all externally/publicly callable functions across all files, Role initialization patterns and address(0) role grants, UUPS upgrade authorization path, Fee calculation and double-deduction analysis in transfer/transferFrom/transferWithAuthorization, Signature authentication in permit and transferWithAuthorization including nonce sharing, Trusted forwarder ERC2771 _msgSender() manipulation path, safetySwitch logic and operating state management, setOwner ownership transfer logic and missing access control, Storage gap analysis for upgradeable contracts, forceTransfer admin bypass logic, Cross-function reentrancy (no external calls in transfer paths except _update which is internal), Integer overflow/underflow (Solidity 0.8.20, checked arithmetic), Delegatecall patterns in UUPS proxy, Keyword obfuscation and lookalike identifiers |
| l2 specific | success | 12 | 3H3M2L | 77% | 1.7m | Access control on all public/external functions across all files, Role initialization patterns (address(0) role grants), UUPS upgrade authorization path, ERC2771 trusted forwarder implementation and _msgSender override, Fee calculation and payment logic (double-fee potential), Transfer functions: transfer, transferFrom, transferWithAuthorization, Permit/EIP-712 signature verification, Blacklist and pause enforcement logic, safetySwitch controller logic, Forwarder signature verification and domain separator handling, Minting allowance management and enforcement, setOwner and setAdministrator ownership transfer logic, Integer overflow/underflow in fee calculations, Reentrancy in transfer paths (no external calls before state updates in critical paths), Cross-contract interaction between Forwarder and EURFToken, MASTER_MINTER and ADMIN role bootstrap with address(0) |
| upgrade | success | 14 | 1M | 78% | 2.6m | UUPS upgrade pattern and _authorizeUpgrade protection, Constructor initializer pattern vs _disableInitializers(), Storage layout across all inherited contracts for gaps and potential collisions, Access control on all external/public functions across all contracts, Role management (grantRole/revokeRole ordering bugs), Meta-transaction trusted forwarder pattern and _msgSender() override, EIP-712 permit and transferWithAuthorization signature verification, Fee calculation and payment logic, Blacklist and pause enforcement across transfer paths, Forwarder signature verification and domain separator handling, Minting/burning allowance enforcement, safetySwitch emergency stop logic, Cross-function reentrancy in transfer flows, Integer overflow/underflow in fee calculations, Storage slot collision between proxy ERC-1967 slots and contract storage |
This automated audit has inherent limitations. The following areas are not covered.
This report is an automated point-in-time assessment and does not guarantee protection against all possible attacks. It does not cover off-chain components, economic modeling, or business logic correctness unless explicitly noted. Changes to the contract after the audit commit are not reviewed. This is not financial or legal advice. WalletGuard, powered by Gestalt Labs, provides this analysis as-is with no warranty of completeness.
[](https://walletguard.ai/audit/0b5a7cf2-876b-46bd-ac46-8c0f9e9e0851)
<a href="https://walletguard.ai/audit/0b5a7cf2-876b-46bd-ac46-8c0f9e9e0851"> <img src="https://walletguard.ai/api/badge/0b5a7cf2-876b-46bd-ac46-8c0f9e9e0851" alt="WalletGuard Audit Badge" /> </a>
Secured by WalletGuard