Prepared by:
HALBORN
Last Updated 12/17/2025
Date of Engagement: August 28th, 2025 - September 26th, 2025
Summary
100% of all REPORTED Findings have been addressed
All findings
21
Critical
2
High
1
Medium
0
Low
4
Informational
14
Table of Contents
1. Introduction
Blockstreet engaged Halborn to conduct a security assessment on their Blockstreet Launchpad program beginning on August 28, 2025 and ending on September 26, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository Blockstreet-Launchpad, commit hashes, and further details can be found in the Scope section of this report.
The Blockstreet team is releasing a new version their Blockstreet Launchpad Solana program. This program is a decentralized fundraising platform that enables crypto projects to raise capital through token sales by creating fundraising pools where investors can contribute funds in exchange for project tokens, featuring staking systems, fee collection mechanisms, and pool lifecycle management.
2. Assessment Summary
Halborn was provided 22 business days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the Solana Program.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Blockstreet team. The main ones were the following:
Exclude platform fees from pool accounting calculations to ensure accurate fund trackingImplement proper treasury account ownership validation in all the instructions where it is not implementedFix issues in the cancel contribution functionality to ensure users can properly cancel contributions
3. SCOPE
- Blockstreet-Launchpad/programs/blockstreet-launchpad/src/constants.rs
- Blockstreet-Launchpad/programs/blockstreet-launchpad/src/error.rs
- Blockstreet-Launchpad/programs/blockstreet-launchpad/src/events.rs
- 99a5830
- 0fbb6a9
- a58655f
- 094e8e3
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Platform Fee Inclusion in Pool Accounting Creates Inconsistent Fund Tracking | Critical | Solved - 10/13/2025 |
| Multiple Account Ownership Validation Vulnerabilities Across Pool Creation, Contribution, and Staking Systems Enable Fee Diversion and Unauthorized Access | Critical | Solved - 10/13/2025 |
| Cancel Contribution Function is Non-Operational Due to Multiple Issues Preventing Users from Cancelling Contributions | High | Solved - 10/13/2025 |
| finalize_pool_with_liquidity Instruction Contains Multiple Vulnerabilities Leading to Permanent Fund Loss | Low | Solved - 10/13/2025 |
| Multiple Security Vulnerabilities and Validation Failures in Staking Pool Initialization Functions | Low | Solved - 11/25/2025 |
| Pool Vault Addresses Not Stored in Pool State Creates Operational Validation Challenges | Low | Solved - 10/13/2025 |
| Pool Finalization Instructions Fail to Update Pool State Values Breaking Token Claims and Pool Analytics | Low | Solved - 10/13/2025 |
| USD1 Staking System Contains Multiple Design Flaws and Missing Functionality That Must Be Redesigned to Prevent User Fund Lock and System Inconsistencies | Informational | Solved - 10/13/2025 |
| Pool Creation Instructions Validate Vault PDAs But Fail to Create Required Vault Accounts | Informational | Solved - 10/13/2025 |
| Logical Contradiction Prevents Pool Status Transition from Pending to Active | Informational | Solved - 10/12/2025 |
| Staking System Contains Multiple Design Flaws That Can Be Improved to Enhance Reward Calculation and Code Consistency | Informational | Solved - 10/13/2025 |
| Meteora Liquidity Instruction is Non-Functional and Lacks Multiple Call Protection | Informational | Acknowledged - 11/04/2025 |
| Missing Admin Approval Flag Assignment Creates Inconsistent Pool State | Informational | Solved - 10/13/2025 |
| Pool Migration Logic Contains Multiple Validation Gaps and Design Inconsistencies That Compromise Pool State Integrity | Informational | Solved - 10/13/2025 |
| Missing Fee Payment Tracking Prevents Validation of Pool Creation Requirements | Informational | Solved - 11/04/2025 |
| Variable Token Mints on Initialization Allow Platform-Wide Compromise | Informational | Solved - 10/13/2025 |
| Missing Length Validation on project_uri Allows for Oversized Data | Informational | Solved - 10/13/2025 |
| Fee Collection Event Emits Hardcoded Values, Leading to Inaccurate Off-Chain Data | Informational | Solved - 10/13/2025 |
| Decentralized Account Initialization Logic Increases Risk of Inconsistencies | Informational | Solved - 11/25/2025 |
| Update Pool Instruction Contains Security and Observability Issues That Enable Fund Locking and Reduce Transparency | Informational | Solved - 10/13/2025 |
| Pool Lifecycle Management Contains Inconsistent Hard Cap Completion Logic Leading to Behavioral Discrepancies | Informational | Solved - 10/13/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
Solana-Launchpad-Assessment
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed