DESCRIPTION
Halo is a social monetization platform for the AI era. Earn passive rewards from posts, transactions, and engagements with 1M+ pioneers.
The core contracts covered in this audit include the halo-token-earn-contract and HaloMem- bershipPass.sol of Halo. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains one high-risk issue that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Halo team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 4 potential issues in the smart contract. We also have 3 recommendations and 3 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Low | Potential loss of influencer airdrop in function setInfluencerInfos() |
DeFi Security | Confirmed |
| 2 | Low | Configuration overwrites and lack of validations in function setAirdropDetail() |
DeFi Security | Confirmed |
| 3 | Low | Potential incorrect reward distribution in function updateRewardRate() |
DeFi Security | Confirmed |
| 4 | High | Reuse of AdminSig enables upgrading multiple NFTs of users | DeFi Security | Fixed |
| 5 | - | Lack of comparison check in function setJustClaimPct() |
Recommendation | Confirmed |
| 6 | - | Lack of non-zero check for key parameters | Recommendation | Confirmed |
| 7 | - | Lack of check in function setClaimStartAt() |
Recommendation | Confirmed |
| 8 | - | Potential centralization risk | Note | - |
| 9 | - | HGP burn verification reliance on off-chain mechanisms | Note | - |
| 10 | - | Potential unavailability of claimRewardsAndStake() function due to StakeToken and RewardToken inconsistency |
Note | - |
More details are provided in the audit report.