Prepared by:
HALBORN
Last Updated 01/15/2026
Date of Engagement: January 5th, 2026 - January 5th, 2026
100% of all REPORTED Findings have been addressed
All findings
6
Critical
0
High
0
Medium
1
Low
3
Informational
2
Billions engaged Halborn to conduct a security assessment of the Billions staking rewards contract. The assessment was performed on January 6th, 2026, with the reviewed commit hashes and in-scope contract details documented in the Scope section of this report.
The Billions staking implementation is based on a Synthetix-inspired reward distribution model and provides a staking framework that allows users to stake tokens and earn rewards over time. The system supports configurable reward distribution, pausing functionality, and controlled administrative operations, while introducing upgradeable architecture and time-locked staking mechanics. Upgradeability is implemented using an OpenZeppelin-compatible proxy pattern, enabling controlled logic updates while preserving on-chain state.
A full-time security engineer was assigned by Halborn to perform a targeted review of the smart contracts in scope. The engineer is a blockchain and smart contract security specialist with advanced penetration - testing and smart - contract auditing skills, and extensive knowledge of multiple blockchain protocols.
The purpose of the assessment was to:
Identify potential security issues within the smart contracts.
Confirm that smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to minimize both the likelihood and potential impact of security risks, which were partially addressed by the Billions team. The primary issues included:
Allowed recovery of reward tokens when staking and reward tokens are the same.
Restricted fee-on-transfer tokens in the staking logic.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Excess reward tokens are unrecoverable when staking and reward tokens are the same | Medium | Solved - 01/11/2026 |
| Staking logic is incompatible with fee-on-transfer (FOT) tokens | Low | Risk Accepted - 01/12/2026 |
| Redundant lockDuration field is stored but never used | Low | Risk Accepted - 01/12/2026 |
| Expired lock state is never cleared from storage | Low | Risk Accepted - 01/12/2026 |
| Single-step ownership transfer increases risk of accidental admin loss | Informational | Solved - 01/11/2026 |
| Locking staked tokens does not update accrued rewards | Informational | Acknowledged - 01/12/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Staking Rewards
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
