Loading...
LoadingLoading...
LoadingLoading audit report...
WalletGuard.ai, powered by Gestalt Labs
Findings selected for deep verification. Where possible we generated a Solidity proof-of-concept and executed it against a forked mainnet.
src/packages/Signer.solFunction: _recoverSignerFromPayloadLines: 105-111src/modules/Storage.solFunction: MODULE_PROXY_INSTANTIATIONLines: 71-76| Agent | Status | Findings | Severity | Confidence | Duration | Coverage |
|---|---|---|---|---|---|---|
| reentrancy | success | 22 | 3H | 85% | 6.8m | Guard policy checkTransaction - selector blocking completeness including setFallbackHandler bypass, Guard policy hook path vs _checkTransaction mutual exclusion, Stop policy stopRent and stopRentBatch - CEI ordering and reentrancy via hooks, Create policy validateOrder - Seaport tip consideration items processing, PaymentEscrow settlePayment and skim - accounting integrity, ERC1155RewardHook and ERC20RewardHook claimRewards - recipient address correctness, Factory deployRentalSafe - safe initialization integrity, Kernel access control - executor and admin separation, Storage module - rental asset tracking and whitelist management, Signer package - EIP-712 signature validation, Reclaimer package - delegate call safety, Proxy upgrade path - ERC-1822 compatibility, Cross-function reentrancy in Stop policy via external hook callbacks, Cross-contract reentrancy between Stop policy and PaymentEscrow, Cross-function reentrancy in Stop.stopRent() and stopRentBatch() - hooks called before storage removal, Factory.initializeRentalSafe() access control - public function with no modifier, EIP-712 hash computation in Signer._deriveOrderMetadataHash() - missing orderType field, Guard._checkTransaction() module enable/disable without rental state check, stopRentBatch() rental asset accumulator deduplication across orders, Guard._loadValueFromCalldata() bounds checking, Guard.checkTransaction() setFallbackHandler bypass - confirmed already found by other agents, Seaport tip items in consideration array - confirmed already found by other agents, ERC20/ERC1155 reward hook claimRewards msg.sender vs rewardedAddress - confirmed already found, Create._rentFromZone() CEI ordering, PaymentEscrow._calculatePaymentProRata() rounding, Accumulator._insert() memory safety, Proxy upgrade safety and frozen state, Kernel role and permission management, ERC1155 batch transfer permanent block - confirmed already found, WhitelistedFulfillmentHook empty whitelist behavior - confirmed already found, Stop.stopRent() and stopRentBatch() CEI ordering and reentrancy vectors, _deriveRentalOrderHash() field inclusion completeness, _deriveRentalTypehashes() abi.encode vs abi.encodePacked for type hash computation, _deriveOrderMetadataHash() field inclusion completeness (orderType missing), _processPayeeOrderConsideration() items array population, Guard._checkTransaction() disableModule offset and Stop policy protection, Guard.checkTransaction() hook path bypass of _checkTransaction, ERC1155RewardHook.supportsInterface() incorrect interface ID, Reclaimer.reclaimRentalOrder() settleTo field usage, Factory.initializeRentalSafe() access control, setFallbackHandler bypass in Guard, Seaport tip items in consideration array, ERC20/ERC1155 reward hook claimRewards() recipient, Domain separator immutability on chain fork |
| access control | success | 24 | 1C8H4M | 87% | 6.5m | Guard policy selector enumeration - checked all blocked selectors against Gnosis Safe ABI, Seaport tip/consideration array handling in Create policy zone validation, EIP-712 domain separator chain ID handling and cross-chain replay, EIP-712 struct hash encoding for all types (Item, Hook, OrderMetadata, RentPayload), Signature replay - nonce, chain ID, expiration checks in Signer package, Access control on all external functions in all policy and module contracts, Kernel role management - grantRole/revokeRole, executor/admin separation, Factory.initializeRentalSafe public exposure and delegatecall risk, Reclaimer.reclaimRentalOrder delegatecall safety checks, Proxy upgrade path - Proxiable onlyByProxy and initialization guards, Guard hook bypass when hook is active for target contract, Payment escrow fee calculation and pro-rata split arithmetic, ERC1155/ERC20 reward hook claimRewards authorization and fund routing, Storage module whitelist controls for delegates and extensions, Stop policy rental order validation and lender stop permissions, Create2Deployer salt validation and cross-chain deployment safety, Hook extraData encoding in EIP-712 hash derivation, Guard._checkTransaction() selector coverage gaps beyond setFallbackHandler (already found by others), Stop.stopRent() and stopRentBatch() order of operations and reentrancy, Signer EIP-712 hash computation correctness for all struct fields, Factory.initializeRentalSafe() access control, Guard delegatecall path - what happens INSIDE whitelisted delegate targets, _deriveRentalOrderHash() field inclusion/exclusion analysis, Guard disableModule offset calculation correctness, Cross-function exploit chains combining multiple medium findings, Kernel.executeAction() access control, PaymentEscrow.skim() and fee accounting, Accumulator._insert() memory safety, Proxiable initialization guards, Hook extraData EIP-712 encoding compliance, _deriveOrderMetadataHash orderType omission (confirmed missing), Complete re-examination of _deriveRentalOrderHash() missing rentalWallet field and concrete exploit chain, rentalOrderTypeHash computation using abi.encode vs abi.encodePacked (EIP-712 type hash derivation), _processPayeeOrderConsideration() never writing to rentalItems array, disableModule offset constant (0x24 reads prevModule not module), stopRentBatch duplicate rentalId accumulation causing underflow DoS, Reclaimer.reclaimRentalOrder() ignoring item.settleTo field, Whitelisted module enablement bypassing guard via execTransactionFromModule, ERC1155RewardHook.supportsInterface() wrong interface ID, Factory.initializeRentalSafe() public with no access control - already extensively covered, Guard setFallbackHandler bypass - already covered in prior findings, Seaport tip consideration items - already covered in prior findings, EIP-712 domain separator immutability - already covered, claimRewards sending to msg.sender instead of rewardedAddress - already covered, _deriveOrderMetadataHash omitting orderType - already covered, Cross-chain interactions and signature replay patterns, Pro-rata payment rounding - already covered, Guard hook path bypass - already covered |
| economic | success | 24 | 2H3M | 83% | 7.5m | Gnosis Safe guard bypass paths: setFallbackHandler, setGuard, enableModule, disableModule selectors, Seaport tip/consideration item processing in _executionInvariantChecks vs totalOriginalConsiderationItems, Hook bypass when hooks are active (guard -> hook forwarding skips _checkTransaction), ERC1155 batch transfer guard coverage in hook-active vs non-hook path, Payment pro-rata calculation correctness and overflow conditions, Reward hook claimRewards transfer destination (msg.sender vs rewardedAddress), ERC20/ERC1155 reward hook lender address validation in extraData, PaymentEscrow fee calculation and skim function correctness, Storage module rental tracking correctness, Stop policy order hash verification sequence (hooks called before hash verification), Flash loan attack surface (no token balance-based pricing, not applicable), Oracle manipulation (no price feeds used, not applicable), Governance attacks (kernel executor/admin centralization, not independently exploitable), ERC-4626 vault inflation (not applicable, no ERC-4626 vault present), Reentrancy in settlePayment, stopRent, claimRewards, Proxy upgrade safety (ERC-1822 implementation verified), Create2Deployer salt validation, Signer EIP-712 domain and typehash correctness, Accumulator memory safety and _convertToStatic correctness, Guard.checkTransaction hook-path bypass combined with setFallbackHandler - chaining prior findings, stopRent/stopRentBatch reentrancy via ERC721/ERC1155 callbacks during reclaimRentalOrder, OrderMetadata hash missing orderType field - impact assessment and exploit chaining, Factory.initializeRentalSafe public function - delegatecall abuse scenario, Reward hook precision loss for ERC1155 amounts below 1e9, Guard calldata length validation for offset-based token ID loading, Cross-chain domain separator replay - already well covered by prior agents, Seaport tip items in consideration array - already well covered by prior agents, setFallbackHandler missing from Guard - already well covered by prior agents, claimRewards msg.sender vs rewardedAddress - already well covered by prior agents, ERC20RewardHook lenderShare manipulation - already well covered, Accumulator memory safety - already flagged, PaymentEscrow pro-rata rounding - already covered, Hook bypass for token transfers - already covered, PAYEE order consideration item processing in _processPayeeOrderConsideration - confirmed items array is never populated, stopRent() and stopRentBatch() reentrancy ordering - traced ERC721/ERC1155 callbacks during _reclaimRentedItems, Guard._checkTransaction disableModule offset calculation - verified 0x24 reads prevModule not module, ERC20/ERC1155 RewardHook lenderShare mutability across onStart/onStop calls, Reclaimer.reclaimRentalOrder() item.settleTo field usage - confirmed it ignores settleTo, Guard.checkTransaction data.length check ordering relative to hook path, ERC1155RewardHook.supportsInterface implementation correctness, WhitelistedFulfillmentHook access control and empty whitelist behavior, Factory.initializeRentalSafe public access - confirmed existing finding, _deriveRentalOrderHash missing rentalWallet - confirmed and assessed storage collision impact, Cross-finding chaining: disableModule offset bug + Stop module removal + NFT locking, Accumulator _insert memory safety with existing allocations, ProxIable.upgrade same-address upgrade behavior, Guard hook path bypassing data.length check |
| logic validation | success | 29 | 2H3M1L | 85% | 8.5m | Guard.sol: _checkTransaction selector coverage vs Gnosis Safe functions (setFallbackHandler bypass), Guard.sol: hook path bypass of core transfer checks, Create.sol: validateOrder Seaport tip/consideration array handling, Create.sol: _executionInvariantChecks vs totalOriginalConsiderationItems, Signer.sol: EIP-712 domain separator caching and chain fork replay protection, PaymentEscrow.sol: pro-rata payment calculation rounding direction, Stop.sol: stopRent and stopRentBatch validation logic, ERC20RewardHook and ERC1155RewardHook: reward accrual logic, claim authorization, lenderShare manipulation, WhitelistedFulfillmentHook: empty whitelist bypass, Accumulator.sol: memory management in dynamic array building, Reclaimer.sol: delegate call safety checks, Storage.sol: rental asset accounting, Kernel.sol: access control and module management, Factory.sol: safe deployment and initialization, Proxy.sol and Proxiable.sol: upgrade safety, RentalOrder hash computation in Signer._deriveRentalOrderHash() - checked for missing fields vs type string, Type hash computation using abi.encode vs abi.encodePacked in _deriveRentalTypehashes(), stopRent() and stopRentBatch() reentrancy paths via NFT receiver callbacks, Factory.initializeRentalSafe() access control, Guard._checkTransaction() - setFallbackHandler bypass (already found by others), Accumulator memory management and _convertToStatic() correctness, PaymentEscrow fee calculation and pro-rata split edge cases, Hook parameter validation - lender address in revenue share hooks, PAYEE order processing in _convertToItems() - items array population, Cross-function reentrancy between Create and Stop policies, Seaport tip item handling (already found by others), EIP-712 domain separator caching (already found by others), ERC20RewardHook.claimRewards() recipient mismatch (already found by others), Guard hook bypass path (already found by others), Guard._checkTransaction() - all selector checks including offset correctness for disableModule vs enableModule parameters, Signer type hash derivation - abi.encode vs abi.encodePacked for type hash computation, _deriveRentalOrderHash - missing rentalWallet field analysis and collision implications, _processPayeeOrderConsideration - items array population vs validation-only analysis, Reclaimer.reclaimRentalOrder - settleTo field usage vs hardcoded lender destination, Stop.stopRentBatch - accumulator sharing and duplicate order hash interactions, Guard.checkTransaction hook bypass - completeness of security when hook is active, Factory.initializeRentalSafe - public function accessibility (already well-covered by prior agents), ERC20/ERC1155 reward hooks - lenderShare manipulation and claimRewards recipient issues (covered by prior agents), Seaport tip consideration item processing (covered by prior agents), EIP-712 domain separator caching (covered by prior agents), setFallbackHandler bypass in Guard (covered by prior agents), Stop policy reentrancy via hooks (covered by prior agents), Accumulator._insert() memory layout, Proxiable upgrade and freeze logic, Kernel access control and role management, Create policy zero-amount consideration items, PaymentEscrow pro-rata rounding, WhitelistedFulfillmentHook empty whitelist bypass |
| code quality | success | 25 | 87% | 7.4m | Gnosis Safe guard bypass vectors (setFallbackHandler, setGuard, enableModule, disableModule), Seaport zone tip item handling and totalOriginalConsiderationItems, EIP-712 signature hash correctness for all struct types, ERC-1822 proxy implementation slot correctness, Payment escrow accounting and settlement logic, Access control on all external/public functions, Hook security (onStart, onStop, onTransaction), Reclaimer delegate call security, Storage module rental asset tracking, ERC20 safe transfer patterns, Cross-function reentrancy paths, Integer overflow/underflow in payment calculations, Pro-rata payment rounding direction, ERC1155/ERC721 compliance of hook contracts, Factory safe deployment security, Kernel module permission system, Accumulator memory safety, Guard._checkTransaction selector coverage completeness, OrderMetadata hash computation vs type string field inclusion, Reclaimer item settleTo field handling, ERC1155RewardHook supportsInterface ERC-165 compliance, Factory.initializeRentalSafe access control, Module execution path vs guard bypass, Cross-module interaction chains, Stop policy execution order and reentrancy, Seaport tip item handling in Create policy, EIP-712 domain separator immutability, Hook extraData manipulation at stop time, PaymentEscrow fee calculation rounding, Guard._checkTransaction() selector coverage gaps (setFallbackHandler, disableModule offset), Signer hash computation (rentalOrderTypeHash, orderMetadataHash, hookHash, rentalWallet omission), Reclaimer.reclaimRentalOrder() settleTo field handling, Factory.initializeRentalSafe() access control, ERC20RewardHook/ERC1155RewardHook lenderShare mutability at stop time, ERC1155RewardHook.supportsInterface() ERC-165 compliance, Stop.stopRent/stopRentBatch ordering and reentrancy, Create._rentFromZone() Seaport tip handling, PaymentEscrow._calculatePaymentProRata() rounding, _processPayeeOrderConsideration() items array population, Accumulator._insert() memory safety, Proxiable upgrade mechanics, Cross-function reentrancy chains | |
| compiler bugs | success | 15 | 1H1M | 85% | 5.0m | Guard.sol: _checkTransaction() - all blocked/unblocked selectors including setFallbackHandler gap, Guard.sol: checkTransaction() - delegate call restrictions, hook forwarding path vs basic check path, Create.sol: validateOrder() and _rentFromZone() - Seaport tip item handling, consideration array processing, Create.sol: _executionInvariantChecks() - ERC20/ERC721/ERC1155 recipient validation, Stop.sol: stopRent() and stopRentBatch() - rental validation, reclaim flow, payment settlement, Stop.sol: _reclaimRentedItems() - module-based bypass of guard, PaymentEscrow.sol: _settlePayment(), _calculatePaymentProRata() - fee calculation, pro-rata math, Storage.sol: addRentals(), removeRentals() - rental tracking, safe registry, Factory.sol: deployRentalSafe(), initializeRentalSafe() - safe setup, module/guard installation, ERC20RewardHook and ERC1155RewardHook: claimRewards() - reward recipient addressing bug, Kernel.sol: access control, role management, module/policy lifecycle, Signer.sol: EIP-712 signature verification, expiration checks, Reclaimer.sol: reclaimRentalOrder() - delegate call restrictions, Proxiable.sol: upgrade/freeze mechanism - ERC-1822 compatibility, Accumulator.sol: memory management for dynamic rental asset arrays, RentalConstants.sol: selector definitions - missing setFallbackHandler selector, Compiler bug analysis: pragma ^0.8.0/0.8.20 - no known relevant compiler bugs in this range, Guard._checkTransaction - all selector checks including missing setFallbackHandler (already found by others), Guard.checkTransaction - delegate call whitelisting bypass with full NFT transfer via whitelisted contract, Factory.initializeRentalSafe - public access control on initialization function, Signer._deriveOrderMetadataHash vs type string - orderType and emittedExtraData omission, Stop.stopRent / stopRentBatch - CEI pattern and reentrancy via ERC721 callbacks, Guard disable module check - interaction with whitelisted extensions allowing stop policy removal, Create._rentFromZone - Seaport tip handling (covered by others), PaymentEscrow._calculatePaymentProRata - rounding logic, ERC20RewardHook / ERC1155RewardHook - reward claiming logic (covered by others), Accumulator._insert - memory safety, Proxiable - upgrade mechanism and freeze logic, Kernel - role and permission management, Signer EIP-712 domain separator caching (covered by others), PAYEE order items array population in _convertToItems/_processPayeeOrderConsideration, EIP-712 type hash computation for rentalOrderTypeHash (abi.encode vs abi.encodePacked), Guard._checkTransaction() calldata offset for disableModule second argument (prevModule vs module), Guard.checkTransaction() ordering of data.length check relative to hook path, ERC1155RewardHook.supportsInterface() IERC1155 vs IERC1155Receiver interface ID, Accumulator._insert() memory safety for edge cases, Chain of disableModule offset bug + renter removing Stop policy module, Reclaimer.reclaimRentalOrder() item.settleTo field ignored for NFT transfers, _deriveRentalOrderHash missing rentalWallet field impact on stopRent, Factory.initializeRentalSafe() public access (extensively covered by prior agents), setFallbackHandler missing from Guard (extensively covered by prior agents), Seaport tip items in consideration (extensively covered by prior agents) |
| assembly safety | success | 23 | 1H3L | 82% | 6.3m | Full codepoint scan for non-ASCII characters, RTLO (U+202E), zero-width characters, and homoglyphs in all identifiers, function names, and string literals - none found, All assembly{} blocks: Create2Deployer.deploy (create2), Create2Deployer.generateSaltWithSender (shl/shr), Accumulator._insert (free memory pointer management), Accumulator._convertToStatic (memory reads), Guard._checkTransaction (selector load), Proxiable._getImplementation/_upgrade/_freeze (sload/sstore at named slots), Proxy._delegate (full delegatecall), KernelUtils.ensureContract (extcodesize), Seaport zone integration: validateOrder(), consideration array processing vs totalOriginalConsiderationItems, Gnosis Safe guard integration: setFallbackHandler bypass, all blocked selectors in _checkTransaction, Hook bypass via checkTransaction routing logic, ERC20/ERC1155 reward hook claimRewards() access control and recipient logic, Payment escrow fee calculation and pro-rata split, Stop policy: rental validation, accumulator usage in batch stops, hook removal, Create policy: item processing for BASE/PAY/PAYEE orders, execution invariant checks, Kernel: module/policy management, role system, Proxy upgrade safety: ERC-1822 compliance, freeze mechanism, Factory: safe deployment and initialization, Shl/shr argument order in Yul (generateSaltWithSender verified: shl(0x60, sender) is correct - shifts sender left by 96 bits = 12 bytes, shr(0xA0, data) shifts data right by 160 bits = 20 bytes, result is or'd to form bytes32 salt), Full codepoint-by-codepoint scan for non-ASCII characters in all identifiers, string literals, and comments - none found, Assembly blocks in Create2Deployer.deploy(), Create2Deployer.generateSaltWithSender(), Guard._loadValueFromCalldata(), Guard._checkTransaction(), Accumulator._insert(), Accumulator._convertToStatic(), Proxy._delegate(), Proxiable._isFrozen(), Proxiable._getImplementation(), Proxiable._upgrade(), Proxiable._freeze(), EIP-712 hash computation correctness in Signer.sol - _deriveRentalOrderHash, _deriveHookHash, _deriveOrderMetadataHash, _deriveRentalTypehashes, Rental order hash collision analysis via missing fields, Factory.initializeRentalSafe() access control and delegatecall path, Guard.checkTransaction() complete flow including hook bypass path, Stop.stopRent() and stopRentBatch() order of operations and reentrancy analysis, Create.validateOrder() and _rentFromZone() Seaport tip processing, PaymentEscrow._calculatePaymentProRata() arithmetic analysis, Accumulator._insert() memory safety analysis, Storage and PaymentEscrow proxy initialization security, ERC20RewardHook and ERC1155RewardHook claimRewards() recipient logic, Cross-chain replay via immutable domain separator, setFallbackHandler() guard bypass (confirmed as already reported), WhitelistedFulfillmentHook empty whitelist bypass, RestrictedSelectorHook selector coverage gaps, Full codepoint-by-codepoint scan for non-ASCII characters (RTLO, zero-width, homoglyphs) across all source files - CONFIRMED CLEAN, Assembly blocks in Create2Deployer.deploy(), Accumulator._insert(), Accumulator._convertToStatic(), Guard._loadValueFromCalldata(), Guard.checkTransaction(), Proxy._delegate(), Proxiable._getImplementation(), Proxiable._upgrade(), Proxiable._freeze(), KernelUtils.ensureContract() - all reviewed for anti-patterns, Yul shift operations in Create2Deployer.generateSaltWithSender() - shl/shr argument order verified correct, PAYEE order item processing gap: _processPayeeOrderConsideration writes no items to rentalItems array, disableModule offset bug: gnosis_safe_disable_module_offset=0x24 reads prevModule not module being disabled, Reclaimer.reclaimRentalOrder() ignores item.settleTo field, Guard calldata length validation before offset-based reads, _deriveRentalOrderHash missing rentalWallet field - impact analysis and chain exploitation, Factory.initializeRentalSafe() public access - already extensively covered by prior agents, Seaport tip consideration item processing - already covered by prior agents, setFallbackHandler bypass - already covered by prior agents, Stop policy reentrancy via hooks - already covered by prior agents, EIP-712 domain separator caching - already covered by prior agents, _deriveOrderMetadataHash missing orderType - already covered by prior agents, ERC20/ERC1155 reward hook claimRewards msg.sender issue - already covered by prior agents, Chaining analysis: disableModule offset bug + stop policy removal = permanent NFT lock, Chaining analysis: missing rentalWallet in hash + two orders with same params = hash collision, Proxy._upgrade() sstore with hardcoded IMPLEMENTATION_SLOT - verified named-slot pattern, not flagged, Proxy._delegate() assembly return/revert pattern - verified correct delegatecall proxy pattern, Proxiable freeze slot - verified named-slot pattern using keccak-derived constant |
| l2 specific | success | 25 | 3H2M1L | 81% | 7.1m | Guard policy transaction filtering - all selector checks and missing setFallbackHandler, Create policy validateOrder() and _rentFromZone() flow including Seaport tip item handling, EIP-712 domain separator computation and chain fork replay protection in Signer.sol, Reclaimer.reclaimRentalOrder() delegate call safety, PaymentEscrow payment settlement pro-rata calculation and fee handling, Storage module rental asset tracking and order hash management, Factory.deployRentalSafe() and initializeRentalSafe() initialization flow, Stop policy stopRent() and stopRentBatch() order validation, Hook contracts (ERC20RewardHook, ERC1155RewardHook, RestrictedSelectorHook) logic, Kernel access control - executor/admin role separation, Proxy upgrade safety and ERC-1822 compliance, Cross-function reentrancy paths in Stop and Create policies, Accumulator memory management for dynamic arrays, Whitelisted delegate call bypass potential, ERC1155 batch transfer restriction completeness, Module enable/disable whitelist checks, EIP-712 type hash consistency between type strings and encoding, Stop.stopRent() and stopRentBatch() reentrancy and ordering of effects vs interactions, Guard.checkTransaction() delegate call path and hook bypass path, Signer._deriveRentalOrderHash() field coverage (rentalWallet omission), Signer._deriveOrderMetadataHash() field coverage (orderType omission) - confirming and chaining, Guard._checkTransaction() gnosis_safe_disable_module offset error (prevModule vs module), Factory.initializeRentalSafe() access control and delegate call abuse potential, Seaport tip items chained to permanent DoS (blacklisted token tip), Accumulator._insert() memory safety in batch contexts, ERC1155RewardHook and ERC20RewardHook claimRewards() - covered by prior agents, PaymentEscrow._calculatePaymentProRata() rounding - covered by prior agents, Create policy hook processing, Stop policy hook processing and stale state, Kernel executor/admin privilege escalation paths, Proxy upgrade safety (freeze mechanism, onlyByProxy modifier), Create2Deployer salt collision, Reclaimer.reclaimRentalOrder() - item.settleTo field usage and recipient correctness, Stop.stopRentBatch() - CEI ordering and reentrancy during ERC20 payment settlement, Guard._checkTransaction() - disableModule offset correctness for two-argument function, Guard.checkTransaction() - hook bypass of _checkTransaction for token transfers, Create._processPayeeOrderConsideration() - items array population for PAYEE orders, Guard._loadValueFromCalldata() - bounds checking for short calldata, ERC1155RewardHook.supportsInterface() - IERC1155 vs IERC1155Receiver interface ID, RentalConstants.sol - offset constants correctness for enableModule vs disableModule, Accumulator._insert() - memory safety and free pointer management, Factory.initializeRentalSafe() - access control (already found by prior agents), Signer domain separator caching - already found by prior agents, Seaport tip handling - already found by prior agents, setFallbackHandler missing from guard - already found by prior agents, _deriveOrderMetadataHash orderType omission - already found by prior agents, _deriveRentalOrderHash rentalWallet omission - already found by prior agents |
| math verification | success | 22 | 2H3M | 85% | 6.1m | Guard._checkTransaction() - all blocked selectors vs. known Gnosis Safe function selectors including setFallbackHandler, Create.validateOrder() and _executionInvariantChecks() - Seaport tip items handling and totalOriginalConsiderationItems boundary, PaymentEscrow._calculatePaymentProRata() - rounding direction and formula correctness, ERC20RewardHook and ERC1155RewardHook - reward accumulation formula, division precision, lenderShare mutability across rentals, claimRewards() in both reward hooks - recipient address correctness, Signer._deriveOrderMetadataHash() and _deriveRentalOrderHash() - EIP-712 type hash completeness, Storage.removeRentals() and removeRentalsBatch() - underflow protection for rentedAssets, PaymentEscrow fee calculation - _calculateFee formula vs 10000 denominator, Reclaimer.reclaimRentalOrder() - delegate call enforcement, Factory.deployRentalSafe() - initialization sequence and guard setup, Stop._validateRentalCanBeStoped() - PAY order lender bypass logic, Kernel access control - executor/admin separation, Proxy/Proxiable upgrade safety and freeze mechanism, Create2Deployer salt validation, Guard checkTransaction - delegate call whitelist enforcement, ERC1155 batch transfer blocking - non-rented token DoS, EIP-712 type hash computation in Signer.sol - abi.encode vs abi.encodePacked for type strings, _deriveOrderMetadataHash field omissions (orderType, emittedExtraData), _deriveHookHash bytes encoding for EIP-712 compliance, PaymentEscrow._calculatePaymentProRata overflow and rounding analysis, Stop.stopRentBatch front-running DoS via single order pre-termination, Factory.initializeRentalSafe public access control and delegatecall abuse, Guard._checkTransaction setFallbackHandler bypass (already found by prior agents), Seaport tip items in consideration array (already found by prior agents), ERC20/ERC1155 reward hook claimRewards direction issue (already found), Accumulator._insert memory safety, Create._executionInvariantChecks tip item validation, PaymentEscrow fee calculation formula correctness, Cross-chain domain separator replay (already found by prior agents), Chaining: _deriveOrderMetadataHash omission + type substitution attack path, RentalOrder hash type string construction (abi.encode vs abi.encodePacked inconsistency), Arithmetic formulas in PaymentEscrow._calculatePaymentProRata() for rounding correctness, EIP-712 type hash derivation in Signer._deriveRentalTypehashes() using abi.encode vs abi.encodePacked, RentalOrder hash completeness - missing rentalWallet field in _deriveRentalOrderHash, Guard._checkTransaction() calldata offset correctness for disableModule(prevModule, module), ERC1155RewardHook.supportsInterface() interface ID correctness, Reclaimer.reclaimRentalOrder() settleTo field handling, ERC20RewardHook and ERC1155RewardHook lenderShare sourcing at stop vs start, WhitelistedFulfillmentHook.onStart() empty whitelist behavior, Factory.initializeRentalSafe() access control (already heavily covered), PAYEE order items array population gap, Reward hook division by 1e18 precision loss, Seaport tip item processing (already heavily covered), Guard setFallbackHandler bypass (already heavily covered), stopRent/stopRentBatch reentrancy ordering (already heavily covered), Chain ID replay in domain separator (already heavily covered) |
| upgrade | success | 24 | 1M | 80% | 7.4m | Proxy pattern identification - ERC-1822 UUPS via Proxiable contract, Storage layout collision across upgrades - StorageBase and PaymentEscrowBase isolation, Initialization risks - MODULE_PROXY_INSTANTIATION with onlyByProxy and onlyUninitialized guards, Guard contract - selector blocking completeness including setFallbackHandler, Seaport tip handling - consideration array processing vs totalOriginalConsiderationItems, Reentrancy in stopRent/stopRentBatch - ERC721/1155 callbacks during reclaim, Payment settlement logic - pro-rata calculation and fee handling, Hook security - onlyCreatePolicy/onlyStopPolicy access controls, Kernel access control - executor and admin privilege separation, Reward hook logic - claimRewards recipient address, ERC20 safe transfer patterns in PaymentEscrow vs hooks, Whitelist mechanisms for delegates and extensions, Cross-contract call chains from validateOrder through to storage, Guard._checkTransaction disableModule offset calculation (found wrong parameter loaded), Signer._deriveRentalOrderHash missing rentalWallet field, Factory.initializeRentalSafe access control and delegatecall exploit path, stopRentBatch partial failure and inconsistent state, Seaport tip items deep impact chain (un-stoppable rentals), Proxy._upgrade same-address upgrade edge case, Delegate call guard bypass via whitelisted delegate + isRentedOut parameter mismatch, Accumulator memory safety in _insert vs _convertToStatic, Create2Deployer deploy function for frontrunning, Kernel executeAction for ChangeExecutor/ChangeAdmin (no contract check), PaymentEscrow.skim for balance manipulation, ERC20RewardHook/ERC1155RewardHook lenderShare inconsistency between onStart and onStop, Module upgrade storage collision (PaymentEscrowBase and StorageBase inheritance), Reclaimer.reclaimRentalOrder() settleTo field handling, _processPayeeOrderConsideration() return array population, Guard._checkTransaction() disableModule offset correctness, Guard.checkTransaction() data.length check ordering relative to hook forwarding, Proxiable._upgrade() same-address check and freeze slot security, stopRent() CEI order and reentrancy via hook callbacks, stopRentBatch() accumulator correctness for same rentalId across multiple orders, ERC20/ERC1155 RewardHook extraData validation at stop time, Factory.initializeRentalSafe() public access control (already found by prior agents), setFallbackHandler bypass (already found by prior agents, not duplicated), Seaport tip items (already found by prior agents, not duplicated), EIP-712 domain separator caching (already found, not duplicated), _deriveOrderMetadataHash missing orderType (already found, not duplicated), _deriveRentalOrderHash missing rentalWallet (already found, not duplicated), claimRewards recipient mismatch (already found, not duplicated), Guard hook path bypasses _checkTransaction (already found, not duplicated) |
Request was aborted.
How this affects your report: findings normally surfaced by this specialist are missing; overlapping coverage from other agents still applies.
This report is an automated point-in-time assessment and does not guarantee protection against all possible attacks. It does not cover off-chain components, economic modeling, or business logic correctness unless explicitly noted. Changes to the contract after the audit commit are not reviewed. This is not financial or legal advice. WalletGuard, powered by Gestalt Labs, provides this analysis as-is with no warranty of completeness.
[](https://walletguard.ai/audit/ce32d1c0-1fc7-455c-8a97-358e566ea1d2)
<a href="https://walletguard.ai/audit/ce32d1c0-1fc7-455c-8a97-358e566ea1d2"> <img src="https://walletguard.ai/api/badge/ce32d1c0-1fc7-455c-8a97-358e566ea1d2" alt="WalletGuard Audit Badge" /> </a>
Secured by WalletGuard