Security Audit Report

WalletGuard.ai, powered by Gestalt Labs

April 17, 2026

ID: e0d83bf4

0xf31f...1911EVMBench: 2025-04-virtualsv1View audit historyEthereumLive TargetCritical Risk

Verified on BaseVerify externally Prompt 0xd29afd...

Apr 17, 2026, 06:34

Standard AuditModel: Claude Sonnet 4.6

What you got

Tier: Standard ($29)
Model: Sonnet
Specialists completed: 9 of 9

Risk Level: Critical Risk

Efficiency

0C13H28M9L

50 security | 2 code quality | 4 gas

13 High: across 6 files

In-Scope Security Score Guide

8.0 - 10.0Low Risk. No critical issues. Safe for interaction.

5.0 - 7.9Moderate Risk. Some issues found. Review before interacting.

1.0 - 4.9High/Critical Risk. Significant vulnerabilities detected.

Score is based on 56 findings from 10 specialist agents.

Exploit Analysis

Forge fork-validation ran but no findings met the threshold for PoC inclusion. See the per-finding "Forge validated" badges in the report below for individual results.

Executive Summary

The analyzed contract system is a multi-component NFT and AI agent protocol encompassing bonding curves, governance, reward distribution, staking, and token factory mechanics. The analysis identified 2 critical, 12 high, 18 medium, 7 low, and 5 informational findings after deduplication and scope filtering. The single most dangerous pattern is the complete absence of access control on BMWToken.mint() and BMWTokenChild.setFxManager(), which together allow any attacker to mint unlimited tokens and seize full mint authority with no preconditions. The contract system carries significant security risk in its current state; several high-severity issues affecting reward distribution, proxy initialization safety, and token accounting require remediation before production deployment.

Critical Highlights

criticalBMWToken.mint() Has No Access Control - Anyone Can Mint Unlimited Tokens

There is no restriction on who can call the mint function of BMWToken. Any person can create as many BMW tokens as they want, sending them to any address. This completely undermines the value of existing token holders and gives an attacker an unlimited supply of free tokens.

criticalBMWTokenChild.setFxManager() Has No Access Control - Anyone Can Change the Manager

The function that controls who is allowed to mint and burn BMWTokenChild tokens can be changed by absolutely anyone. An attacker can appoint themselves as the manager, then freely mint unlimited tokens to themselves or burn tokens belonging to other users.

highAgentRewardV2 and AgentRewardV3 Missing disableInitializers() in Constructor

These reward contracts are deployed behind a proxy but leave their implementation contracts unprotected. Anyone can call the initialization function directly on the implementation contract, grant themselves administrator privileges, and potentially manipulate the reward system or brick the implementation.

50 Security Findings | 2 Code Quality | 4 Gas Optimizations

high(13)

medium(28)

low(9)

Code Quality Observations(2)

Gas Optimizations(4)

Decentralization

5 centralization points identified

AgentVeToken.setCanStake() Can Only Be Called by Founder - No Recovery If Founder Key Lost

Staking mode can be permanently locked if the founder key is lost; there is no admin override mechanism, representing a governance concentration risk.

setCanStake()

AgentDAO allows proposal auto-execution when forVotes equals total supply - bypasses voting period_tryAutoExecute()

FERC20.burnFrom Allows Owner to Burn Any User's Tokens Without Allowance

The Bonding contract owner can burn tokens from any user's balance without consent; while used intentionally for pair unwrapping, the unrestricted scope is a centralization risk buyers must know about.

burnFrom()

ContributionNft: No access control on setEloCalculator - only admin check

Single-step admin transfer without a two-step acceptance pattern means an accidental transfer to the wrong address permanently loses admin control with no recovery.

setAdmin()

Bonding.launchFor: msg.sender pays but creator receives tokens - mismatched payment and token receipt

The launchFor function design allows a caller to assign the creator role to any address while retaining all initial tokens; this is either an intentional design or a potential griefing vector depending on the protocol's intent.

launchFor()

Attack Chain Analysis

BMWToken Unlimited Mint to Governance Takeovercritical

An attacker calls BMWToken.mint() (no access control) to mint an arbitrary quantity of BMW tokens to themselves. If BMW tokens carry governance or staking weight in any AgentDAO or VirtualGenesisDAO contract, the attacker can use the inflated balance to dominate voting. Combined with AgentDAO's _tryAutoExecute logic that immediately executes a proposal when forVotes equals total supply, the attacker can immediately execute any governance proposal including ones that drain protocol funds or alter reward settings.

BMWToken.mint() Has No Access Control - Anyone Can Mint Unlimited TokensAgentDAO allows proposal auto-execution when forVotes equals total supply - bypasses voting period

Uninitialized Proxy Implementation Admin Takeover Leading to Reward Manipulationhigh

An attacker calls initialize() on the bare AgentRewardV2 or AgentRewardV3 implementation contract (which has no _disableInitializers() guard) and grants themselves DEFAULT_ADMIN_ROLE and GOV_ROLE. With GOV_ROLE, the attacker can call setRewardSettings() with invalid share values that cause underflow or zero-distribution conditions. Because setRewardSettings lacks validation that shares sum to DENOMINATOR, the attacker can set all shares to zero or to values that cause systematic arithmetic reversion in _distributeAgentRewards, permanently blocking all reward distribution for the protocol.

AgentRewardV2 and AgentRewardV3 Missing disableInitializers() in ConstructorAgentRewardV2.setRewardSettings: No validation that shares sum to DENOMINATOR or within bounds

Cross-Function Reentrancy via ERC-777 Token Draining Service Rewardshigh

If the rewardToken is an ERC-777 compatible token, an attacker who owns multiple service NFTs calls claimAllRewards(). Inside _claimServiceRewards, safeTransfer triggers the attacker's onTokensReceived hook. At this point, claimAllRewards has no reentrancy guard and _claimServiceRewards has no guard. The attacker re-enters claimAllRewards for other NFT IDs whose state has not yet been updated in the current loop iteration, claiming those rewards before the state is marked as claimed. This attack is amplified because the noReentrant locks on _claimStakerRewards and _claimValidatorRewards are per-function and already released after those calls complete, leaving the outer loop window unprotected.

Custom noReentrant modifier uses storage lock that is not reset on revert, and _claimServiceRewards lacks reentrancy guardclaimAllRewards in AgentRewardV2 has no top-level reentrancy guard, allowing cross-function reentrancy between staker/validator/service claimsAgentRewardV2 and AgentRewardV3 Use Custom noReentrant Instead of OZ ReentrancyGuard

Division by Zero DoS Permanently Locking Staker Rewardshigh

When distributeRewards is called for a newly created agent whose DAO has no proposals (totalProposals == 0), the AgentRewardV3.getClaimableStakerRewards calculation divides by totalProposals, causing a revert. Because claim.rewardCount is advanced before this division in claimStakerRewards (the state update that happens when totalClaimable is computed via the zero-transfer path), the reward epoch pointer is permanently advanced past the broken epoch. All subsequent claim attempts for that virtualId will skip or revert on the same epoch, permanently locking those staker rewards with no recovery path.

AgentRewardV3 getClaimableStakerRewards Division by Zero When totalProposals is ZeroStaker reward claim transfers tokens even when claimable amount is zero

Manipulable LP Value Oracle Enabling Disproportionate Reward Extractionhigh

AgentRewardV3.getLPValue uses the spot balance of the reward token in the LP pool to determine reward weights. An actor who can donate tokens to a specific LP address (or who controls a large token balance) can inflate that agent's apparent LP value at the time distributeRewards is called. Because the reward split is proportional to these spot balances, the manipulator can redirect the majority of a reward distribution to a chosen agent. This is compounded by the division-by-zero risk in getClaimableStakerRewards if totalProposals is zero, which could be used to knock out competing agents from claiming their share while the manipulator's agent accumulates.

LP value used for reward weighting is based on spot token balance, manipulableAgentRewardV3 getClaimableStakerRewards Division by Zero When totalProposals is Zero

Agent Coverage

Agent	Status	Findings	Severity	Confidence	Duration	Coverage
reentrancy	success	11	2H2M2L	74%	1.7m	Cross-function reentrancy in AgentRewardV2 and AgentRewardV3 claim functions, Custom noReentrant modifier implementation (storage bool) across all contracts, ERC-777 callback reentrancy vectors via safeTransfer in reward contracts, CEI pattern compliance in all withdraw/claim functions, Division by zero edge cases in reward distribution math, FERC20 custom ERC20 implementation for invariant violations, Genesis contract onGenesisSuccess replay and state overwrite issues, AgentInference zero-address TBA transfer risk, Bonding contract unwrapToken logic and approval mechanics, AgentVeToken stake/withdraw reentrancy (noReentrant present), AgentFactoryV2/V3/V4 withdraw and execute functions (noReentrant present), ERC-1155 callback patterns (not present in this codebase), ERC-4626 vault patterns (not present), Flash loan callback patterns (not present)
access control	success	13	4H1M2L	82%	2.0m	Access control on all public/external functions across all contracts, Initializer protection and _disableInitializers() usage in upgradeable contracts, Reentrancy protection patterns (noReentrant vs OpenZeppelin ReentrancyGuard), Signature verification and authentication patterns, Delegatecall usage and proxy safety, Role-based access control (RBAC) with AccessControl and AccessControlUpgradeable, Ownership patterns in Ownable/Ownable2Step contracts, Token transfer and approval patterns, Division by zero edge cases in reward calculations, State machine transitions in Genesis and Bonding contracts, Cross-function reentrancy in reward claim functions, Agent validator registry access control, Bonding curve graduation and token unwrapping logic, ERC-2771 meta-transaction context in _msgSender() overrides, Governance proposal and voting security
economic	success	15	3H3M1L	77%	1.9m	Flash loan attack vectors in reward contracts and governance, Oracle manipulation in AgentRewardV3 LP value calculation, Governance attack vectors in AgentDAO and VirtualGenesisDAO, Reentrancy patterns across all contracts with custom noReentrant modifiers, Reward distribution logic and division by zero risks, Access control patterns across all contracts, MEV exposure in Bonding contract, Genesis contract state machine and timing logic, ContributionNft minting access control, AgentFactoryV4 custom token liquidity addition, AgentVeToken staking and withdrawal logic, AgentRewardV2 and V3 claiming logic for stakers, validators, and service contributors, ERC20 standard compliance in FERC20 and BMWToken, AgentInference prompt and promptMulti functions
logic validation	success	17	8M2L	76%	2.3m	Input validation on all public/external functions (array length mismatches, zero-value checks), Arithmetic safety - division by zero, integer overflow in reward calculations, Reward distribution logic in AgentRewardV2 and AgentRewardV3, Reentrancy vectors in claim functions with custom noReentrant modifier, Genesis lifecycle state machine (participate, onGenesisSuccess, onGenesisFailed, cancelGenesis), Bonding curve graduation flow in Bonding.sol, Access control on privileged functions (GOV_ROLE, ADMIN_ROLE, BONDING_ROLE), ERC20 token handling (SafeERC20 usage, approval patterns), Loop bounds and gas DoS vectors, Precision loss in share calculations, AgentInference prompt and promptMulti edge cases, AgentTax swap mechanics and creator fee distribution, AgentFactoryV3/V4 application lifecycle, AgentVeToken staking and withdrawal mechanics, ContributionNft and ServiceNft mint access control
code quality	success	19		82%	2.8m	ERC-20 conformance (FERC20, AgentToken, VirtualToken), ERC-721 conformance (ContributionNft, ServiceNft, AgentNftV2), ERC-1155 - not applicable, ERC-2612 permit - veVirtualToken, AgentToken, ERC-4626 vault - not applicable, ERC-1967 proxy upgrade safety and storage collisions, Reentrancy across all contracts with noReentrant/nonReentrant, Access control on all privileged functions, Arithmetic precision and division-by-zero in reward calculations, Bonding curve graduation logic, Genesis contract success/failure state machine, Validator reward distribution correctness, Agent factory application execution flow, Token burn accounting in FERC20, Slippage protection in AgentTax, AgentDAO auto-execution logic, AgentVeToken delegation mechanics, Gas optimization opportunities in loops, Cross-function reentrancy in reward claims, ERC-6551 token bound account integration
compiler bugs	success	8	3M	78%	1.4m	AgentInference prompt and promptMulti - token transfer flows, reentrancy, input validation, AgentRewardV2 - distribution logic, claim logic, reentrancy guards, division-by-zero risks, AgentRewardV3 - distribution logic, claim logic, division-by-zero in totalProposals/totalStaked, LOOP_LIMIT pagination, ContributionNft - minting access, admin management, ServiceNft - mint access control, impact calculation, Bonding/FERC20 - burnFrom access control, graduation flow, FFactory/FRouter - role-based access, tax handling, Genesis/FGenesis - participation, success/failure flows, state machine correctness, AgentFactoryV2/V3/V4 - application lifecycle, reentrancy, role checks, AgentVeToken - staking, withdrawal, delegation, AgentNftV2 - minting, validator management, blacklist, AgentDAO - voting, auto-execution, maturity calculation, Reward calculation arithmetic - precision loss, division by zero, Custom noReentrant modifier usage vs OpenZeppelin ReentrancyGuard, Compiler bug patterns - pragma is ^0.8.20, no affected version ranges apply
assembly safety	success	16	2M	77%	2.2m	Full codepoint scan for non-ASCII characters, RTLO (U+202E), zero-width joiners/spaces, and homoglyphs in all identifiers, comments, and strings - none found, All assembly{} blocks in FixedPointMathLib.sol, ERC6551BytecodeLib.sol, AgentFactory contracts, Airdrop.sol, and AgentToken.sol - checked for hardcoded slots, mstore overwrites, return vs leave, reversed shl/shr arguments, Reentrancy patterns in AgentRewardV2, AgentRewardV3, Genesis, Bonding, Division by zero vulnerabilities in reward distribution logic, Access control across all contracts, ERC20 standard compliance in FERC20, Governance logic in AgentDAO, VirtualGenesisDAO, VirtualProtocolDAO, Bonding curve graduation logic, Genesis contract success/failure flow, Proxy upgrade safety for upgradeable contracts, Storage layout in upgradeable contracts, ERC6551 TBA creation patterns, Reward claiming functions in AgentRewardV2 and AgentRewardV3, Token unwrapping in Bonding contract
l2 specific	success	17	6M	73%	2.7m	AgentInference: prompt and promptMulti token transfer logic, reentrancy guards, AgentRewardV2: reward distribution, validator reward calculation, contributor reward calculation, claim functions, custom noReentrant mutex, AgentRewardV3: reward distribution, claim functions, division-by-zero risks, LOOP_LIMIT logic, ContributionNft: mint access control, admin management, ServiceNft: mint access control, impact calculation, Bonding: launch, buy, sell, graduation logic, access control, FERC20: token implementation, burnFrom access control, FFactory/FRouter/FPair: AMM mechanics, access control, FGenesis/Genesis: genesis lifecycle, participant management, token distribution, AgentFactoryV2/V3/V4: application lifecycle, TBA creation, token deployment, AgentNftV2: NFT management, validator registry, blacklist, AgentToken: ERC20 with tax, autoswap mechanics, AgentVeToken: staking, withdrawal, delegation checkpoints, AgentDAO: governance, vote counting, auto-execution, VirtualGenesisDAO/VirtualProtocolDAO: quorum, early execution, AgentTax/BondingTax: fee collection, swap mechanics, Minter: reward minting, impact calculation, veVirtualToken: oracle transfer, transfer restrictions, BMWToken/BMWTokenChild: access control on mint functions, Airdrop: assembly-based batch transfer, TBABonus: bonus distribution, LPRefund: refund mechanics, EloCalculator: ELO rating math, Cross-contract reentrancy paths between reward claim functions, Integer overflow/underflow in reward calculations, L2-specific patterns: no L2-specific imports or predeploy addresses found; contract appears to be Ethereum mainnet (chain ID 1 per metadata)
upgrade	success	14	4H3M1L	85%	2.2m	Proxy pattern identification (ERC-1967 transparent proxy), Implementation contracts missing disableInitializers() constructor, Storage layout and upgrade safety across AgentRewardV2, AgentRewardV3, AgentFactoryV2, AgentFactoryV3, AgentFactoryV4, Custom reentrancy guard implementations vs OpenZeppelin ReentrancyGuardUpgradeable, Division by zero vulnerabilities in reward calculation functions, Access control on admin functions (GOV_ROLE, ADMIN_ROLE, BONDING_ROLE, FACTORY_ROLE), Genesis contract state machine and reentrancy protection, Bonding contract graduation flow and unwrapToken access control, AgentDAO maturity calculation edge cases, FERC20 burnFrom and token distribution mechanics, AgentToken tax and liquidity mechanisms, AgentVeToken staking and withdrawal logic, ContributionNft and ServiceNft minting authorization, ERC2771 meta-transaction context usage, Integer overflow/underflow (Solidity 0.8.20 has built-in checks), Reward claim state machine correctness, Loop limit enforcement in AgentRewardV3 (LOOP_LIMIT = 100)

Scope and Methodology

Target0xf31fc37be2243c722492e9a76c50cb595e0e1911

ChainEthereum

Proxy Patternerc1967

Complexitycomplex

Standards DetectedERC20, ERC721, ERC1155, ERC2771, ERC5805, ERC6551

Analysis ModelClaude Sonnet 4.6

Specialist Agents10

Agent Types

reentrancyaccess controleconomiclogic validationcode qualitycompiler bugsassembly safetyl2 specificupgrade

Scope TemplateNFT/Marketplace (auto-selected)

MethodologyAutomated multi-agent analysis. Each specialist agent independently reviews the contract source code for vulnerabilities in its domain. Findings are deduplicated, scored, and synthesized into this report.

Findings are gated by demonstrated exploit feasibility against the analyzed contract. Observations that describe accepted blockchain behavior, consensus-layer issues, or infeasible preconditions are excluded from scored findings. See scope policy.

Severity Classification

CriticalDirect loss of funds or complete protocol compromise. Exploitable with high likelihood. Requires immediate remediation.

HighSignificant risk to funds or protocol integrity. Conditionally exploitable or requires specific circumstances. Should be fixed before deployment.

MediumLimited or conditional impact. May require unlikely conditions to exploit. Should be addressed but not blocking.

LowMinor impact. Best practice deviations, minor inefficiencies. Fix when convenient.

InformationalNo direct security impact. Code quality observations, gas optimizations, style recommendations.

Limitations

This automated audit has inherent limitations. The following areas are not covered.

-Business logic correctness cannot be fully verified: the audit identifies code-level vulnerabilities and pattern mismatches but cannot confirm that the reward distribution formulas, bonding curve parameters, ELO scoring, or genesis participation rules reflect the intended economic design of the protocol.
-Off-chain component security is outside scope: the security of oracle infrastructure feeding price data, keeper bots calling distributeRewards, admin key management practices for GOV_ROLE and ADMIN_ROLE holders, and the multi-sig configuration protecting upgrade authority cannot be assessed from contract source alone.
-Economic modeling and tokenomics viability are not assessed: whether the bonding curve graduation thresholds, staking APYs, validator reward shares, or the FERC20 to agentToken unwrap ratio create sustainable incentives or are susceptible to economic attacks (e.g., validator collusion to inflate totalStaked) is beyond automated analysis.
-Cross-protocol composability risks from external integrations are partially analyzed: interactions with Uniswap V2 router, ERC-6551 token-bound account factories, the Polygon FxPortal bridge, and any future protocols that read FERC20 totalSupply or AgentDAO governance results may introduce risks not visible from this contract's code alone.
-Governance social dynamics are not modeled: the risk of vote-buying, delegate bribery, coordinated validator sybil attacks on the AgentNftV2 validator set, or collusion among GOV_ROLE holders to call setRewardSettings with unfavorable parameters cannot be evaluated through static analysis.
-Proxy upgrade storage layout collisions across future upgrades cannot be exhaustively verified: while current storage layouts were examined, any future implementation upgrade that adds new state variables without following the OpenZeppelin storage gap pattern could silently corrupt existing state in ways that are not detectable from the current codebase.

Disclaimer

This report is an automated point-in-time assessment and does not guarantee protection against all possible attacks. It does not cover off-chain components, economic modeling, or business logic correctness unless explicitly noted. Changes to the contract after the audit commit are not reviewed. This is not financial or legal advice. WalletGuard, powered by Gestalt Labs, provides this analysis as-is with no warranty of completeness.

Embed Badge

Markdown

[![WalletGuard Audit](https://walletguard.ai/api/badge/e0d83bf4-af41-436c-8d3f-3ea5518ef5ce)](https://walletguard.ai/audit/e0d83bf4-af41-436c-8d3f-3ea5518ef5ce)

HTML

<a href="https://walletguard.ai/audit/e0d83bf4-af41-436c-8d3f-3ea5518ef5ce">
  <img src="https://walletguard.ai/api/badge/e0d83bf4-af41-436c-8d3f-3ea5518ef5ce" alt="WalletGuard Audit Badge" />
</a>

Secured by WalletGuard

How We Audit View all reports for this contractUID: 0x8cf6608e...64f3a6This report was produced by generic vulnerability pattern matching.

Modelsonnet

Duration7.4m

CostN/A

Tokens- in / - out

Source verified via Etherscan