Security Audit Report

WalletGuard.ai, powered by Gestalt Labs

April 17, 2026

ID: 6a49b9d8

0xe4e7...2976EVMBench: 2024-02-althea-liquid-infrastructurev1View audit historyEthereumLive TargetCritical Risk

Verified on BaseVerify externally Prompt 0xd29afd...

Apr 17, 2026, 05:43

Standard AuditModel: Claude Sonnet 4.6

What you got

Tier: Standard ($29)
Model: Sonnet
Specialists completed: 8 of 8

Risk Level: Critical Risk

Efficiency

0C9H8M6L

23 security | 1 gas

9 High: LiquidInfrastructureERC20.sol (9)

In-Scope Security Score Guide

8.0 - 10.0Low Risk. No critical issues. Safe for interaction.

5.0 - 7.9Moderate Risk. Some issues found. Review before interacting.

1.0 - 4.9High/Critical Risk. Significant vulnerabilities detected.

Score is based on 24 findings from 9 specialist agents.

Exploit Analysis

Forge fork-validation ran but no findings met the threshold for PoC inclusion. See the per-finding "Forge validated" badges in the report below for individual results.

Executive Summary

The analyzed contract is a LiquidInfrastructureERC20, an ERC-20 token that manages distributions of revenue from associated NFTs to approved token holders. The analysis identified 0 critical, 8 high, 7 medium, 6 low, and 3 informational findings across 24 total submissions. The most dangerous pattern is the combination of an unbounded holders array with DoS-enabling logic errors in holder management, distribution locking, and a permanently-stuck LockedForDistribution state triggered by any reverting ERC20 transfer, which can render the contract completely inoperable. The contract in its current form carries substantial operational risk and should not be considered safe for production deployment without significant remediation of its distribution, holder management, and state machine logic.

Critical Highlights

highDistribution can be permanently blocked if a disapproved holder still holds tokens

If any ERC20 token used for revenue distribution has a transfer that reverts (rather than returning false), the entire distribution process halts permanently. No transfers, mints, or burns of the infrastructure token are possible until the distribution finishes, and it never will. A single poorly-behaved token or a token that blacklists a recipient can brick the entire contract indefinitely.

highDuplicate Holder Entries in holders[] Array Due to _beforeTokenTransfer Logic

Every time tokens are burned, the address zero is added to the list of holders who receive revenue distributions. Over time this list fills with invalid entries. When a distribution runs, the contract will attempt to send tokens to address zero, which can cause the entire distribution to fail, permanently locking the contract and blocking all token operations.

highUnbounded holders array iteration in _afterTokenTransfer causes gas DoS

The contract scans every holder in a list every time a token transfer or burn occurs. If thousands of small accounts are created (which anyone can do by transferring tiny amounts), every future transfer becomes too expensive to process and will fail. At sufficient scale, the token becomes completely frozen: no one can transfer, mint, or burn.

23 Security Findings | 1 Gas Optimization

high(9)

medium(8)

low(6)

Gas Optimizations(1)

Decentralization

1 centralization point identified

withdrawFromManagedNFTs callable by anyone, enabling griefing

Near-duplicate of Finding 8. The permissionless nature of this function is a design property buyers should understand; it does not directly cause fund loss but enables state manipulation and event spoofing.

withdrawFromManagedNFTs()

Attack Chain Analysis

Holder Array Corruption Leading to Permanent Distribution Lockcritical

Finding 2 (address(0) pushed to holders on every burn) causes the holders array to grow with invalid entries. Finding 3 (missing break in removal loop) means duplicates are never properly cleaned up. Finding 4 (unbounded iteration) compounds the gas cost as the array grows. When distribution eventually runs against this corrupted array, Finding 16 (reverting ERC20 transfer permanently blocks distribution) triggers if any token reverts on transfer to address(0), permanently setting LockedForDistribution to true. At this point, all mints, burns, and transfers are frozen with no recovery path.

Duplicate Holder Entries in holders[] Array Due to _beforeTokenTransfer LogicMissing break in _afterTokenTransfer Holder Removal Loop Causes Incorrect Array ManipulationUnbounded holders array iteration in _afterTokenTransfer causes gas DoSDistribution can be permanently blocked if a disapproved holder still holds tokens

Griefing Mint Operations via Public Distribution Initiationhigh

Finding 10 (distribute() is publicly callable) allows any address to initiate a distribution and set LockedForDistribution to true whenever the minimum period has elapsed. Finding 5 (mintAndDistribute bypass) shows that if distribute() is called with numDistributions=1 by an attacker just before the owner calls mintAndDistribute(), the partial distribution leaves LockedForDistribution active. The owner's subsequent mint() call inside mintAndDistribute() then reverts because _beforeTokenTransfer checks LockedForDistribution. An attacker can repeatedly front-run mint operations, preventing the owner from ever minting until a full distribution completes, which itself may be blocked by Finding 16.

`distribute` is publicly callable — anyone can trigger and advance distribution statemintAndDistribute and burnAndDistribute Can Bypass Distribution LockDistribution can be permanently blocked if a disapproved holder still holds tokens

Withdrawal State Corruption via Permissionless Calls and Array Mutationhigh

Finding 8 (withdrawFromManagedNFTs has no access control) allows anyone to partially advance nextWithdrawal. Finding 6 (releaseManagedNFT always passes its require) means an NFT can be released without being removed from ManagedNFTs, shrinking the array. Finding 15 (nextWithdrawal not reset on array length change) means nextWithdrawal can exceed ManagedNFTs.length after a release, causing the reset condition to never trigger. The result is that future withdrawal cycles never emit WithdrawalFinished, the distribution cycle stalls waiting for withdrawals, and the protocol cannot function normally.

`withdrawFromManagedNFTs` is callable by anyone and can be used to grief the distribution cyclereleaseManagedNFT Always Passes Its require(true) ChecknextWithdrawal not reset on partial withdrawal failure, causing state inconsistency

Agent Coverage

Agent	Status	Findings	Severity	Confidence	Duration	Coverage
reentrancy	success	7	4H	88%	1.3m	Cross-function reentrancy in distribute(), mint(), burn(), and compound functions, ERC-777 tokensReceived callback attack surface via distributableERC20s, CEI (Checks-Effects-Interactions) pattern compliance in distribute(), holders[] array management in _beforeTokenTransfer and _afterTokenTransfer, Distribution state machine correctness (LockedForDistribution, nextDistributionRecipient), Withdrawal logic in withdrawFromManagedNFTs and LiquidInfrastructureNFT._withdrawBalancesTo, Access control on sensitive functions (onlyOwner, onlyOwnerOrApproved), releaseManagedNFT correctness and NFT transfer before state update, Integer precision loss in _beginDistribution entitlement calculation, ReentrancyGuard placement and coverage across all external-call functions, DoS via unbounded array iteration in _afterTokenTransfer, Read-only reentrancy on view functions (getThresholds, totalSupply), ERC-1155 callback patterns - not present in this contract, Flash loan callback patterns - not present in this contract
access control	success	9	2M	88%	1.5m	Access control on all public/external functions, Holder array management in _beforeTokenTransfer and _afterTokenTransfer, Distribution logic including entitlement calculation and distribution loop, Withdrawal logic and state management, Reentrancy protection (nonReentrant usage), Signature/authentication patterns (none present), Upgrade safety (no proxy pattern), Integer overflow/underflow (Solidity 0.8.12 with built-in checks), Precision loss in division, DoS via unbounded loops, Test contract security boundaries, releaseManagedNFT correctness, Two-step ownership transfer (Ownable without two-step)
economic	success	10	2M1L	85%	1.7m	Flash loan attack vectors - no price feeds or balance-based pricing found, not applicable, Oracle manipulation - no price oracles used in this contract, Governance attacks - no governance token voting mechanism present, MEV/sandwich exposure - no swaps or liquidations present, Reentrancy - nonReentrant guards checked on mint and releaseManagedNFT, distribute lacks guard but state is updated before external calls, Holder array management - linear search, unbounded growth, duplicate entries, address(0) insertion, Distribution entitlement math - integer division, precision loss, failed transfer handling, Distribution lifecycle - locking mechanism, begin/end distribution, partial distribution, NFT management - addManagedNFT, releaseManagedNFT correctness, Withdrawal cycle - nextWithdrawal counter, access control, index management, Access control - owner-only functions, permissionless functions, ERC20 compliance - _beforeTokenTransfer, _afterTokenTransfer hooks, Test contracts (TestERC20A/B/C, TestERC721A) - unrestricted mint in TestERC20A noted but test-only
logic validation	success	10	2H3M1L	85%	1.7m	Input validation on all public/external functions, holders array management in _beforeTokenTransfer and _afterTokenTransfer, Distribution state machine (LockedForDistribution, nextDistributionRecipient), Withdrawal state machine (nextWithdrawal, ManagedNFTs modification during withdrawal), Arithmetic precision in entitlement calculation (division before multiplication), Integer overflow/underflow in unchecked blocks (none found), ERC20 transfer failure handling in distribute(), Access control on administrative functions, Reentrancy protection coverage across mint, burn, distribute, withdraw, releaseManagedNFT logic correctness, address(0) handling in token transfer hooks, Gas DoS vectors in loops, OwnableApprovableERC721 modifier correctness, LiquidInfrastructureNFT withdrawal access control, Test contract files (informational only, no production vulnerabilities)
code quality	success	11	1L	89%	1.5m	ERC-20 conformance (transfer, transferFrom, approve, events), ERC-721 conformance (LiquidInfrastructureNFT functions and events), ERC-165 supportsInterface, Reentrancy vectors in distribute, mint, withdraw functions, Access control on owner-only and holder-management functions, Distribution logic: entitlement calculation, precision loss, holder list management, Holder array integrity (add/remove on transfer/mint/burn), Integer overflow/underflow (Solidity 0.8.12 built-in protections), Gas optimization: external vs internal calls, loop patterns, Withdrawal logic from ManagedNFTs, Dead code: require(true, ...) in releaseManagedNFT, Test contracts for production safety risks, OwnableApprovableERC721 access control modifiers, Proxy/upgrade patterns - none present
compiler bugs	success	7	1H	90%	1.0m	Reentrancy patterns in distribute(), mint(), releaseManagedNFT(), Access control on all public/external functions, Holders array management in _beforeTokenTransfer and _afterTokenTransfer, Distribution entitlement calculation and integer division precision, Withdrawal flow ordering relative to distribution, LockedForDistribution state machine transitions, releaseManagedNFT correctness check, Compiler version (0.8.12) - no known compiler bugs applicable, ERC20/ERC721 standard compliance, Integer overflow/underflow (Solidity 0.8.x built-in protection), Dust/remainder accumulation in distribution, DoS via unbounded loops
assembly safety	success	9	1H2L	85%	1.7m	Full codepoint scan for non-ASCII characters in all identifiers, strings, and comments — none found, Absence of assembly{} blocks confirmed across all files, holders array growth and shrinkage logic in _beforeTokenTransfer and _afterTokenTransfer, Distribution logic in distribute(), _beginDistribution(), _endDistribution(), releaseManagedNFT dead require(true) check, mintAndDistribute and burnAndDistribute reentrancy and griefing paths, Integer division truncation in entitlement calculation, withdrawFromManagedNFTs state machine and interaction with array modifications, setDistributableERC20s mid-distribution mutation, Access control on all public/external functions, TestERC20A unrestricted mint(), OwnableApprovableERC721 modifier logic, LiquidInfrastructureNFT withdrawal access control, ERC20 standard compliance and _beforeTokenTransfer/_afterTokenTransfer hooks, ReentrancyGuard application on mint() and releaseManagedNFT(), Keyword and identifier homoglyph scan — no suspicious characters found
l2 specific	success	10	1H1M1L	89%	1.5m	Reentrancy vulnerabilities in distribute(), mint(), releaseManagedNFT(), Access control on all public/external functions, Holders array management in _beforeTokenTransfer and _afterTokenTransfer, Distribution logic in _beginDistribution, distribute, _endDistribution, Integer overflow/underflow and precision loss in entitlement calculation, NFT withdrawal logic and state consistency in withdrawFromManagedNFTs, ERC20 transfer failure handling in distribute(), Lock state (LockedForDistribution) consistency across all code paths, MintAndDistribute, burnAndDistribute, burnFromAndDistribute convenience functions, TestERC20A/B/C deployment risk on mainnet, OwnableApprovableERC721 modifier correctness, LiquidInfrastructureNFT withdrawBalances and threshold management, L2-specific concerns (block.number timing, chain ID)

Scope and Methodology

Target0xe4e7c6e780b0d69f87bc858e24425124cd392976

ChainEthereum

Complexitycomplex

Standards DetectedERC20, ERC20Burnable, ERC721, ERC721Holder

Analysis ModelClaude Sonnet 4.6

Specialist Agents9

Agent Types

reentrancyaccess controleconomiclogic validationcode qualitycompiler bugsassembly safetyl2 specific

Scope TemplateNFT/Marketplace (auto-selected)

MethodologyAutomated multi-agent analysis. Each specialist agent independently reviews the contract source code for vulnerabilities in its domain. Findings are deduplicated, scored, and synthesized into this report.

Findings are gated by demonstrated exploit feasibility against the analyzed contract. Observations that describe accepted blockchain behavior, consensus-layer issues, or infeasible preconditions are excluded from scored findings. See scope policy.

Severity Classification

CriticalDirect loss of funds or complete protocol compromise. Exploitable with high likelihood. Requires immediate remediation.

HighSignificant risk to funds or protocol integrity. Conditionally exploitable or requires specific circumstances. Should be fixed before deployment.

MediumLimited or conditional impact. May require unlikely conditions to exploit. Should be addressed but not blocking.

LowMinor impact. Best practice deviations, minor inefficiencies. Fix when convenient.

InformationalNo direct security impact. Code quality observations, gas optimizations, style recommendations.

Limitations

This automated audit has inherent limitations. The following areas are not covered.

-Business logic correctness: The audit can detect deviations from expected patterns but cannot verify whether the distribution entitlement model, approval gating, and minimum distribution period are economically correct or aligned with the protocol's intended revenue-sharing rules.
-Off-chain component security: The security of admin key management, keeper bots responsible for calling distribute() and withdrawFromManagedNFTs(), and any multisig or governance infrastructure controlling the owner role are entirely outside the scope of this analysis.
-Economic modeling: The viability of the revenue distribution model, the impact of token supply changes on entitlement values over time, and whether the precision loss in entitlement calculations meaningfully harms token holders at realistic supply and balance values cannot be determined by static analysis alone.
-Cross-protocol composability: The security of external ERC-20 tokens listed in distributableERC20s is not analyzed. Malicious, upgradeable, or fee-on-transfer tokens introduced by the owner could alter the behavior of distribution in ways not covered here.
-Governance social dynamics: The single-owner model with no timelock means the owner can call setDistributableERC20s, approveHolder, disapproveHolder, and addManagedNFT at will. The analysis identifies the on-chain impact of these powers but cannot assess the trustworthiness or operational security of the key holder.
-LiquidInfrastructureNFT dependency: The security of the LiquidInfrastructureNFT contract and its withdrawal mechanics are analyzed only at the interface level. Internal vulnerabilities in that contract's _withdrawBalancesTo or threshold management that do not surface at the ERC20 call boundary may not be fully captured.

Disclaimer

This report is an automated point-in-time assessment and does not guarantee protection against all possible attacks. It does not cover off-chain components, economic modeling, or business logic correctness unless explicitly noted. Changes to the contract after the audit commit are not reviewed. This is not financial or legal advice. WalletGuard, powered by Gestalt Labs, provides this analysis as-is with no warranty of completeness.

Embed Badge

Markdown

[![WalletGuard Audit](https://walletguard.ai/api/badge/6a49b9d8-ffd6-460c-b8b3-a2b34fc88cd3)](https://walletguard.ai/audit/6a49b9d8-ffd6-460c-b8b3-a2b34fc88cd3)

HTML

<a href="https://walletguard.ai/audit/6a49b9d8-ffd6-460c-b8b3-a2b34fc88cd3">
  <img src="https://walletguard.ai/api/badge/6a49b9d8-ffd6-460c-b8b3-a2b34fc88cd3" alt="WalletGuard Audit Badge" />
</a>

Secured by WalletGuard

How We Audit View all reports for this contractUID: 0x55ac7af5...81b4bfThis report was produced by generic vulnerability pattern matching.

Modelsonnet

Duration4.2m

CostN/A

Tokens- in / - out

Source verified via Etherscan