Migrate.fun - Emblem Vault

1. Introduction

Emblem Vault team engaged Halborn to conduct a security assessment of the hustle-migration program from August 19th to September 12th, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository EmblemCompany; commit hashes and further details can be found in the Scope section of this report.

The hustle-migration program is a comprehensive token migration platform on Solana that enables anyone to create and manage projects for seamless token swaps. Projects can be created in two modes: protected or unprotected. Protected projects enforce additional security safeguards to minimize user risk by imposing stricter rules and administrator limitations. Unprotected projects, on the other hand, grant administrators greater flexibility. The platform supports concurrent token migrations across multiple projects with automatic fee collection, and it is specifically designed to recover liquidity from pools where projects no longer control the LP tokens. Advanced features include automated liquidity pool creation, percentage-based safeguarded migrations with real-time evaluation, refund mechanisms for failed migrations, BONK.fun integration for LP token splitting (90/10), and a Merkle tree–based claims system for users who miss the migration window.

It should be noted that changes made during the remediation phase that do not directly address the identified issues are considered out of scope for this security assessment.

2. Assessment Summary

Halborn was provided 19 days for the engagement and assigned 1 full-time security engineer to review the security of the Solana Program in scope. The engineer is blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the Solana Program.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which have been addressed by the Emblem Vault team. The main ones were the following:

• Add a validation to ensure the new_token_amount is greater than 0.

• Add explicit checks to differentiate protected vs unprotected projects and enforce the expected requirements for each one to call emergency_withdraw.

• Modify the total_quote_tokens_for_refunds update in finalize_swap to add the new calculated amount.

• Add a validation to ensure the new tokens amount from the new_token_vault to create the pool does not affect the mft claims and merkle claims.

• Implement completely or remove the Token2022 support for the quote token mint, adjust accordingly all the instructions and remove the validation that enforce the quote token mint matches the native SOL mint.

• Implement Atomic creation of vault accounts, dynamic space calculation and Strict existence validation of the accounts.

• Ensure consistent handling of the TransferFeeConfig extension across all relevant instructions