Loading...

Loading
WalletGuard Audit: 0x18aa...b998 | Score: 1.0/10

high(24)

medium(9)

low(1)

Decentralization

3.7/ 10.0Decentralization

No specific centralization concerns identified.

Agent Coverage

AgentStatusFindingsSeverityConfidenceDurationCoverage
reentrancysuccess25
6C
93%3.4mProxy initialization and admin access control, Initializable contract storage and proxyAdmin handling, ERC20 minting and burning roles, ERC20 pausable mechanism and role initialization, ERC-2612 permit() function signature validation and nonce replay protection, ERC20Detailed metadata initialization, Cross-contract delegatecall and state synchronization between proxy and logic, Initializable modifier access control and storage layout synchronization, ERC20 token initialization and state setup, Permit function signature validation and replay attack vectors, Proxy admin access control and upgrade safety, ERC20 role-based initialization (minters, pausers), Cross-contract storage collision risks, EIP-712 domain separator caching and chainId handling, Nonce management in permit function, Proxy initialization and storage layout collision between AudiusAdminUpgradeabilityProxy and Initializable proxyAdmin variables, ERC2612 permit() implementation and DOMAIN_SEPARATOR computation with chainId opcode, AudiusToken.initialize() function and all commented-out initialization calls, MinterRole, PauserRole, and other access control role initialization, ERC20Detailed metadata initialization (name, symbol, decimals), Initial token supply minting and distribution to owner, Proxy admin change function (setAudiusProxyAdminAddress) and access controls, Cross-contract initialization dependencies and delegation patterns, Uninitialized state variables in inherited contracts and their security implications
access controlsuccess24
1C1H
82%3.9mEIP-712 permit() signature verification and nonce handling, Initializer pattern and re-initialization risks in upgradeable contracts, Proxy upgrade authority and admin validation, Access control on privileged functions (initialize, upgradeTo, permit), Signature deadline enforcement and parameter validation, ERC20 standard compliance and token transfer guards, Pausable mechanism and minter/pauser role assignment, Initializable modifier and proxyAdmin field initialization, Permit function signature replay and nonce handling, DOMAIN_SEPARATOR caching and chain fork vulnerability, AudiusToken.initialize() implementation and commented-out code, Proxy admin access control and upgrade restrictions, ERC20 token initialization and role setup, Signature deadline validation and deadline > vs >= comparison, UpgradeabilityProxy constructor delegatecall and error handling, ERC20Detailed metadata initialization, Initializable contract initialization logic and proxyAdmin state management, ERC20Detailed, ERC20Mintable, ERC20Pausable initialization paths and role assignment, AudiusToken initialization and setup of child contract state, AudiusAdminUpgradeabilityProxy admin management and upgrade authority, EIP-712 DOMAIN_SEPARATOR computation and signature replay vectors, UpgradeabilityProxy constructor and delegatecall initialization validation, Cross-contract initialization and role setup interdependencies, Access control on proxy admin transfer and implementation upgrade functions
economicsuccess29
2H
84%4.0mInitializable contract and modifier behavior during proxy deployment, Storage layout and slot collisions between proxy and implementation, ERC20Detailed, ERC20Mintable, ERC20Pausable initialization flow, Permit function EIP712 implementation and signature validation, Proxy upgrade mechanism and access controls, Token initialization and parent class setup, Constructor execution order and delegatecall context, Initializable contract proxyAdmin state management and initialization flow, UpgradeabilityProxy constructor delegatecall initialization and error handling, AudiusAdminUpgradeabilityProxy upgradeTo() access control and implementation validation, AudiusToken.initialize() parent contract initialization calls and state setup, ERC20Detailed, ERC20Mintable, ERC20Pausable, ERC20Burnable parent class dependencies, EIP-712 DOMAIN_SEPARATOR computation and caching, permit() function signature recovery, nonce management, and deadline validation, MinterRole and PauserRole initialization and access control, Cross-storage collisions between Initializable.proxyAdmin and AudiusAdminUpgradeabilityProxy.proxyAdmin, Token supply initialization and initial minting logic, Commented-out initialization code in AudiusToken.initialize(), Initializer modifier and proxy initialization flow, Storage slot alignment and collision between Initializable and AudiusAdminUpgradeabilityProxy, Access control on initialize() function and re-initialization attacks, Permit function EIP712 signature validation and nonce management, DOMAIN_SEPARATOR stability across chain forks, Upgrade path storage layout validation, Delegatecall context for initialization in proxy constructor, EIP712 encoding standard compliance in permit function
logic validationsuccess27
1C4H1M
81%3.4mEIP-712 signature verification and domain separator management, Contract initialization and parent contract setup, Access control on initializer modifier, ERC20 token state management (mint, burn, transfer, approve), Pausable and Minter role initialization, Proxy upgrade mechanism and admin address management, Input validation on permit() function parameters, Signature recovery and verification in permit(), Nonce management for replay protection, Initializable contract proxyAdmin field initialization and initializer modifier guard logic, AudiusAdminUpgradeabilityProxy constructor and admin address handling, UpgradeabilityProxy delegatecall initialization and error handling, AudiusToken.initialize() function and commented-out initialization chains, ERC20Detailed, ERC20Mintable, ERC20Pausable initialization flow, permit() function signature verification, digest construction, and deadline validation, DOMAIN_SEPARATOR computation and caching for EIP-712 compliance, nonce management and side-effects in permit(), Storage layout synchronization between proxy admin and implementation, InitializableV2 wrapper and parent contract initialization, Initializable contract's initializer modifier and initialization state machine, Proxy admin access control in AudiusAdminUpgradeabilityProxy, EIP-712 domain separator caching and fork recomputation, EIP-712 permit() signature verification encoding, UpgradeabilityProxy constructor initialization and delegatecall handling, Implementation validation in BaseUpgradeabilityProxy, Cross-contract storage layout assumptions in proxy vs logic contract, Input validation on proxy admin and implementation addresses
code qualitysuccess13
1C2H1M
77%4.7mERC20 standard compliance (transfer, transferFrom, approve, balanceOf, allowance, mint, burn), ERC20Detailed initialization (name, symbol, decimals), MinterRole and PauserRole initialization and access control, ERC20Pausable functionality, ERC2612 permit() signature validation and replay protection, Proxy initialization and upgrade mechanism, InitializableV2 state management and initializer guard, AudiusAdminUpgradeabilityProxy admin checks and upgrade gating, Storage layout and state variable initialization across inheritance hierarchy, Initializable contract's initializer modifier and access control, AudiusToken.initialize() function and its commented-out initialization calls, EIP-712 permit() function signature digest computation, EIP-712 DOMAIN_SEPARATOR computation and fork compatibility, Proxy upgrade access control via AudiusAdminUpgradeabilityProxy, ERC-20 standard compliance (transfer, approve, mint, pause), Storage layout and state variable initialization across Initializable and AudiusAdminUpgradeabilityProxy, Nonce management in permit() function, Role-based access control (MinterRole, PauserRole)
compiler bugssuccess13
1C3H
91%2.0mProxy access control via initializer modifier and proxyAdmin, Token initialization flow and role assignment (minter, pauser), ERC20 state management (balances, allowances, supply), Signature verification in permit() function, Proxy upgrade mechanism and admin address validation, Initialization guard enforcement across inheritance chain, Initializable contract proxyAdmin field initialization and storage collision with AudiusAdminUpgradeabilityProxy, permit() function signature validation, nonce management, and EIP-712 domain separator, AudiusToken.initialize() commented-out parent contract initialization calls, DOMAIN_SEPARATOR chainId computation and chain fork vulnerability, AudiusAdminUpgradeabilityProxy admin management and upgrade validation, UpgradeabilityProxy constructor delegatecall and initialization, InitializableV2 parent contract field initialization, ERC20 parent contract re-initialization vulnerabilities, Storage layout compatibility across proxy and implementation contracts, Access control checks in admin and upgrade functions, Initializable contract proxyAdmin storage context and cross-contract visibility in ERC1967 proxy, AudiusAdminUpgradeabilityProxy initialization flow and delegatecall safety, UpgradeabilityProxy constructor execution and state validation, AudiusToken initialization sequence and multiple inheritance state variable initialization, Signature verification in permit() function against DOMAIN_SEPARATOR and PERMIT_TYPEHASH, ERC20 transfer, transferFrom, approve functions and allowance accounting, MinterRole and PauserRole access control and role inheritance chain, Pausable state checks in ERC20Pausable overrides, ERC20Burnable and burn/burnFrom internal function consistency, Token supply accounting across mint, burn, transfer operations
assembly safetysuccess23
1C2H2M
84%3.4mInitializable contract's proxyAdmin field and initializer modifier access control, Storage layout compatibility between Initializable and AudiusAdminUpgradeabilityProxy, ERC20Detailed.initialize() re-initialization protection, ERC20 and ERC20Pausable pausable transfer logic, permit() function signature verification and nonce handling (EIP-2612), UpgradeabilityProxy constructor delegatecall validation, AudiusAdminUpgradeabilityProxy upgradeTo() access control, Invisible character scan: No Right-to-Left Override (U+202E), zero-width joiners (U+200D), zero-width spaces (U+200B), zero-width non-joiners (U+200C), or Cyrillic homoglyphs detected in source code, Keyword obfuscation scan: No lookalike 'assembly', 'selfdestruct', 'delegatecall' identifiers detected, Assembly block analysis: found assembly in Initializable.isConstructor() (extcodesize check) and Proxy._delegate() (delegatecall), verified these use standard patterns without unsafe sload/sstore or shift operation reversals, Initializable contract proxyAdmin field initialization and guard enforcement, InitializableV2 wrapper and parent class initialization chain, AudiusToken.initialize() function and commented-out child initializations, permit() function EIP-712 implementation and signature verification, DOMAIN_SEPARATOR caching across network forks and chainId changes, Nonce handling and replay protection in permit(), Proxy initialization via UpgradeabilityProxy constructor, AudiusAdminUpgradeabilityProxy admin control and upgrade functions, Storage layout synchronization between Initializable and proxy, Non-ASCII characters and invisible characters in source code, Assembly blocks for delegate calls and governance logic, ERC20 role-based functions (mint, pause) initialization, Initializable modifier access control in logic vs proxy storage context, Storage layout collision between Initializable.proxyAdmin and AudiusAdminUpgradeabilityProxy.proxyAdmin, UpgradeabilityProxy constructor delegatecall timing and storage initialization, EIP-712 permit function signature validation and nonce management, Cross-contract delegatecall execution and state mutation, Proxy admin access control and upgrade authorization, ERC20 token state machine (mint, burn, transfer, approve) interactions with pausable/burnable, Initialization order and contract readiness checks, Non-ASCII characters and invisible character injection in identifiers and source
l2 specificsuccess24
5C3H1M
87%3.7mInitializer modifier and proxyAdmin access control in Initializable.sol, AudiusToken.initialize() function and missing parent contract initialization calls, ERC20Detailed, ERC20Pausable, ERC20Mintable initialization, DOMAIN_SEPARATOR computation and chain-fork vulnerability, permit() function signature validation and nonce handling, AudiusAdminUpgradeabilityProxy upgrade mechanism and admin access control, EIP-712 digest computation and signature replay protection, Initializable contract proxyAdmin state management and initializer modifier logic, UpgradeabilityProxy constructor delegatecall handling and initialization guards, AudiusAdminUpgradeabilityProxy admin management and upgrade functionality, AudiusToken.initialize() parent contract initialization chains and state setup, EIP-712 permit() function signature validation, replay protection, and deadline checking, ERC20Detailed, ERC20Mintable, ERC20Pausable initialization coverage, InitializableV2 wrapper re-initialization vulnerability patterns, Proxy storage layout and field synchronization between proxy and implementation, Cross-contract function call chains and state dependencies, Access control patterns in admin and role-based functions, Signature authentication in permit() function (EIP-2612), DOMAIN_SEPARATOR initialization and chain fork handling, Initializable modifier and storage layout in upgradeable contracts, ProxyAdmin access control and storage collision, Nonce management and race condition vulnerabilities, Initialization guards on ERC20 functions, Cross-chain signature replay attack surface, Storage layout consistency between proxy and logic contracts
math verificationsuccess16
4C
93%3.5mInitializer pattern and multi-contract inheritance initialization chain (Initializable, ERC20Detailed, ERC20Mintable, ERC20Pausable, ERC20Burnable, InitializableV2, AudiusToken), Access control on upgradeTo() and setAudiusProxyAdminAddress() in AudiusAdminUpgradeabilityProxy, ERC20 token state initialization (name, symbol, decimals, totalSupply, minters, pausers), Permit function signature validation and nonce management (EIP-2612 compliance), Proxy delegation pattern and storage layout correctness, Function initialization order and guard conditions, Cross-contract delegatecall semantics and storage access patterns, Initializable contract storage initialization and proxyAdmin usage, AudiusToken.initialize() function completeness and parent contract initialization, InitializableV2 re-initialization vulnerability, AudiusAdminUpgradeabilityProxy constructor storage synchronization, permit() function EIP-712 signature verification and nonce handling, permit() DOMAIN_SEPARATOR caching and chainId fork vulnerability, Cross-function initialization chaining and state initialization ordering, Proxy delegation and delegatecall initialization sequencing, Proxy initialization and storage layout mismatch between Initializable and AudiusAdminUpgradeabilityProxy, Access control in initializer modifier vs proxyAdmin variable storage slots, Permit function signature verification and nonce increment ordering, EIP-2612 permit deadline validation and bounds checking, Cross-contract storage collision analysis between proxy and implementation, ERC20 token transfer, mint, and burn functions for consistency, Pausable and Mintable role-based access controls
upgradesuccess20
76%3.8mProxy pattern (ERC-1967 with custom admin extension), Initializable implementation and initialization guards, Access control on upgrade and admin functions, ERC20 implementation initialization and parent contract setup, ERC2612 permit() implementation and nonce handling, Storage collision and inheritance chain across upgradeable contracts, Initialization state management across contract inheritance, Proxy initialization flow via UpgradeabilityProxy and AudiusAdminUpgradeabilityProxy, Initializable and InitializableV2 state management and synchronization, Storage slot collisions between proxy and implementation proxyAdmin fields, ERC20 role initialization (minter, pauser) and commented-out initialization calls, permit() function signature verification and deadline handling, DOMAIN_SEPARATOR caching and chainId hard fork vulnerability, Access control on upgradeTo() and setAudiusProxyAdminAddress(), Nonce tracking and signature replay prevention, ERC20Detailed, ERC20Pausable, ERC20Mintable initialization gaps
cipher alphasuccess9
2C2H2M1L
73%2.7mCross-function reentrancy (categories: reentrancy), 3 RALPH iterations, Adversarial verification (iteration 3)
cipher betasuccess10
3H2M
84%3.2mEconomic exploit simulation (categories: flash_loan, governance, oracle_manipulation), 3 RALPH iterations, Adversarial verification (iteration 3)
cipher generalsuccess0
100%1.1mGeneral-category PoC verification (categories: access_control, signature_auth, integer_overflow, precision_loss, input_validation, unchecked_call, state_machine, timestamp_dependence, dos, upgrade_safety, storage_collision, standard_compliance, gas_optimization, logic_error, compiler_bug, assembly_safety, l2_specific, encoding_collision, delegatecall_safety, xss, csrf, cors_misconfiguration, session_management, data_exposure, open_redirect, ssrf, security_headers, cryptographic_weakness, other), 3 RALPH iterations, Adversarial verification (iteration 3)

Failed Agents

code qualityFailed

Invalid JSON in Claude response (stop_reason: max_tokens, outputTokens: 16384)

How this affects your report: findings normally surfaced by this specialist are missing; overlapping coverage from other agents still applies.

upgradeFailed

Zod validation failed: findings.4.affectedFile: Invalid input: expected string, received null; findings.4.affectedLines: Invalid input: expected string, received null; findings.4.codeSnippet: Invalid input: expected string, received null; findings.4.impact: Invalid input: expected string, received null; findings.4.remediation: Invalid input: expected string, received null

How this affects your report: findings normally surfaced by this specialist are missing; overlapping coverage from other agents still applies.

synthesisFailed

Invalid JSON in Claude response (stop_reason: max_tokens, outputTokens: 16383)

How this affects your report: findings normally surfaced by this specialist are missing; overlapping coverage from other agents still applies.

Scope and Methodology

Target0x18aaa7115705e8be94bffebde57af9bfc265b998
ChainEthereum
Proxy Patternerc1967
Complexitycomplex
Standards DetectedERC20
Analysis Modelhaiku
Specialist Agents34
Agent Types
reentrancyaccess controleconomiclogic validationcode qualitycompiler bugsassembly safetyl2 specificmath verificationupgrade
MethodologyAutomated multi-agent analysis. Each specialist agent independently reviews the contract source code for vulnerabilities in its domain. Findings are deduplicated, scored, and synthesized into this report.
Findings are gated by demonstrated exploit feasibility against the analyzed contract. Observations that describe accepted blockchain behavior, consensus-layer issues, or infeasible preconditions are excluded from scored findings. See scope policy.

Severity Classification

CriticalDirect loss of funds or complete protocol compromise. Exploitable with high likelihood. Requires immediate remediation.
HighSignificant risk to funds or protocol integrity. Conditionally exploitable or requires specific circumstances. Should be fixed before deployment.
MediumLimited or conditional impact. May require unlikely conditions to exploit. Should be addressed but not blocking.
LowMinor impact. Best practice deviations, minor inefficiencies. Fix when convenient.
InformationalNo direct security impact. Code quality observations, gas optimizations, style recommendations.

Disclaimer

This report is an automated point-in-time assessment and does not guarantee protection against all possible attacks. It does not cover off-chain components, economic modeling, or business logic correctness unless explicitly noted. Changes to the contract after the audit commit are not reviewed. This is not financial or legal advice. WalletGuard, powered by Gestalt Labs, provides this analysis as-is with no warranty of completeness.

Embed Badge
WalletGuard Audit Badge
Markdown
[![WalletGuard Audit](https://walletguard.ai/api/badge/fd50dc41-ddde-4354-8d47-1afa72c75cce)](https://walletguard.ai/audit/fd50dc41-ddde-4354-8d47-1afa72c75cce)
HTML
<a href="https://walletguard.ai/audit/fd50dc41-ddde-4354-8d47-1afa72c75cce">
  <img src="https://walletguard.ai/api/badge/fd50dc41-ddde-4354-8d47-1afa72c75cce" alt="WalletGuard Audit Badge" />
</a>
WalletGuardSecured by WalletGuard
How We AuditView all reports for this contractThis report was produced by generic vulnerability pattern matching.
Modelhaiku
Duration2.9m
CostN/A
Tokens- in / - out
Source verified via Etherscan