Prepared by:
HALBORN
Last Updated 01/26/2026
Date of Engagement: January 20th, 2026 - January 21st, 2026
100% of all REPORTED Findings have been addressed
All findings
5
Critical
0
High
0
Medium
0
Low
3
Informational
2
EA Finance engaged Halborn to perform a security assessment of their smart contracts starting on January 20th, 2026 and ending on January 21st, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The EA Finance protocol is a complete cross-chain DeFi ecosystem with three integrated contracts: the wCC token for cross-chain transfers via LayerZero, a staking pool for WCC rewards, and a BridgeController for secure Canton-BSC bridging that immediately burns tokens to prevent double-spending. All secured with role-based access and pausable controls.
Halborn was allocated 2 day for this engagement and assigned 1 full-time security engineers to conduct a comprehensive review of the smart contracts within scope. The engineers are experts in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were acknowledged by the EA Finance team. The main recommendations were:
Add validation to ensure the reward start time is not in the past.
Add a minimum staking period requirement to prevent instant deposit-withdraw cycles.
Remove setRewardToken() Function or Allow Changes Only to Same-Decimal Tokens.
Halborn conducted a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy within the scope of this assessment. While manual testing is crucial for identifying flaws in logic, processes, and implementation, automated testing enhances coverage of smart contracts and quickly detects deviations from established security best practices.
The following phases and associated tools were employed throughout the term of the assessment:
Research into the platform's architecture, purpose and use.
Manual code review and walkthrough of smart contracts to identify any logical issues.
Comprehensive assessment of the safety and usage of critical Solidity variables and functions within scope that could lead to arithmetic-related vulnerabilities.
Local testing using custom scripts (Foundry).
Fork testing against main networks (Foundry).
Static security analysis of scoped contracts, and imported functions (Slither).
| Security analysis | Risk level | Remediation |
|---|---|---|
| Missing Validation for Reward Start Time | Low | Risk Accepted - 01/24/2026 |
| Disproportionate Reward Capture Due to Lack of Time Weighting | Low | Risk Accepted - 01/24/2026 |
| Reward Token Decimal Change Causes Accounting Failure | Low | Risk Accepted - 01/24/2026 |
| Missing Two-Step Ownership Transfer | Informational | Acknowledged - 01/24/2026 |
| Missing Order ID Validation in requestMint() | Informational | Acknowledged - 01/24/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
StakeUSD - Multi-Chain Staking Rewards System
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
