Staking Rewards - Billions

1. INTRODUCTION

Billions engaged Halborn to perform a security assessment of their smart contracts on March 19th, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.

Theb StakingRewards contract is an upgradeable Synthetix-fork staking contract where users stake BILL tokens to earn BILL rewards. It adds per-user time-locked staking, delegated on-behalf operations, and a global launch lock period on top of the standard reward distribution model, governed by a timelock and multisig.

2. ASSESSMENT SUMMARY

Halborn ⁣was allocated 1 day for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.

The objectives of this assessment are to:

• Identify potential security vulnerabilities within the smart contracts.

• Verify that the smart contract functionality operates as intended.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were successfully addressed by the Billions team. The main recommendations were:

• Skip withdraw() when unlocked amount is zero instead of reverting.

• Cap the duration parameter to a reasonable maximum.

• Override the renounceOwnership() function to revert.

• Override grantRole() to restrict DEFAULT_ADMIN_ROLE to the current owner only.