Prepared by:
HALBORN
Last Updated 10/10/2025
Date of Engagement: August 19th, 2025 - September 12th, 2025
Summary
100% of all REPORTED Findings have been addressed
All findings
12
Critical
4
High
1
Medium
2
Low
2
Informational
3
Table of Contents
1. Introduction
Emblem Vault team engaged Halborn to conduct a security assessment of the hustle-migration program from August 19th to September 12th, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository EmblemCompany; commit hashes and further details can be found in the Scope section of this report.
The hustle-migration program is a comprehensive token migration platform on Solana that enables anyone to create and manage projects for seamless token swaps. Projects can be created in two modes: protected or unprotected. Protected projects enforce additional security safeguards to minimize user risk by imposing stricter rules and administrator limitations. Unprotected projects, on the other hand, grant administrators greater flexibility. The platform supports concurrent token migrations across multiple projects with automatic fee collection, and it is specifically designed to recover liquidity from pools where projects no longer control the LP tokens. Advanced features include automated liquidity pool creation, percentage-based safeguarded migrations with real-time evaluation, refund mechanisms for failed migrations, BONK.fun integration for LP token splitting (90/10), and a Merkle tree–based claims system for users who miss the migration window.
It should be noted that changes made during the remediation phase that do not directly address the identified issues are considered out of scope for this security assessment.
2. Assessment Summary
Halborn was provided 19 days for the engagement and assigned 1 full-time security engineer to review the security of the Solana Program in scope. The engineer is blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the Solana Program.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which have been addressed by the Emblem Vault team. The main ones were the following:
Add a validation to ensure the new_token_amount is greater than 0.Add explicit checks to differentiate protected vs unprotected projects and enforce the expected requirements for each one to call emergency_withdraw.Modify the total_quote_tokens_for_refunds update in finalize_swap to add the new calculated amount.Add a validation to ensure the new tokens amount from the new_token_vault to create the pool does not affect the mft claims and merkle claims.Implement completely or remove the Token2022 support for the quote token mint, adjust accordingly all the instructions and remove the validation that enforce the quote token mint matches the native SOL mint.Implement Atomic creation of vault accounts, dynamic space calculation and Strict existence validation of the accounts.Ensure consistent handling of the TransferFeeConfig extension across all relevant instructions
3. SCOPE
- programs/hustle-migration/src/lib.rs
- programs/hustle-migration/src/events.rs
- programs/hustle-migration/src/errors.rs
- 5cc40c5
- 1c7c687
- 9d9f20b
- fe687d1
- 8abadbb
- f4f37ea
- 620de61
- c38cb7f
- edb037f
- 7fef55d
- 7ce55fe
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Missing protected project validation in emergency withdraw | Critical | Solved - 09/29/2025 |
| Overwriting of total quote tokens for refunds May Lead to Incorrect Refund Distribution for protected projects | Critical | Solved - 09/02/2025 |
| Insufficient Validation of vaults' balances during pool creation | Critical | Solved - 09/02/2025 |
| Multiple vulnerabilities may lead into loss of funds and DoS | Critical | Solved |
| New token amount missing validation may lead in loss of old tokens | High | Solved - 09/30/2025 |
| Inconsistent Handling of TransferFeeConfig Extension | Medium | Solved - 10/07/2025 |
| Project Initialization DoS Caused by Insufficient PDA Allocation in create_token_accounts | Medium | Solved - 09/30/2025 |
| Risk of front-running during program initialization | Low | Risk Accepted - 10/03/2025 |
| Lack of 2-step transfer ownership mechanism | Low | Solved - 09/30/2025 |
| Missing Validation of Token Decimals and Migration Timestamps may lead in unusable projects | Informational | Solved - 09/29/2025 |
| Fee basis points missing validation in platform initialization | Informational | Solved - 09/29/2025 |
| Duplicated validations and unused fields | Informational | Solved - 10/04/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
Migrate.fun
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed