- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

Smart Contract Assessment - Ern

Prepared by:

HALBORN

Last Updated 02/27/2026

Date of Engagement: February 16th, 2026 - February 17th, 2026

Summary

100% of all REPORTED Findings have been addressed

All findings

Critical

High

Medium

Low

Informational

1. Introduction
2. Assessment summary
3. Scope
4. Findings overview

1. Introduction

Halborn was engaged to conduct a security assessment of the Ern protocol. The assessment was performed from February 16th, 2026 to February 17th, 2026. Commit hashes and additional details reviewed during the engagement are documented in the Scope section of this report.

The Ern protocol implements a yield aggregation and reward distribution system that allows users to deposit assets into Aave, accrue yield through aTokens, and periodically convert the generated yield into reward tokens via decentralized exchanges. The design uses non-transferable vault shares, configurable harvest conditions, and role-based controls, along with lock and fee mechanisms, to manage reward distribution and enforce protocol economics.

2. Assessment Summary

A full-time security engineer from Halborn conducted a targeted security review of the Ern protocol. The assessment was performed by a blockchain and smart contract security specialist with expertise in DeFi yield strategies, tokenized vault designs, and reward distribution mechanisms.

The purpose of the assessment was to:

Identify potential security, economic, and design issues within the Ern smart contracts.
Verify that deposit, withdrawal, harvesting, and reward distribution workflows operate as intended under various market and usage scenarios.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were addressed by the Ern team. The main recommendations included:

Withdrawal fees protect reward distribution against front-running so late depositors cannot capture yield they did not generate.
Implement atomic allocation updates or a claim pause mechanism off chain so users cannot front-run allocation reductions to claim full rewards.

3. SCOPE

REPOSITORY

(a) Repository: app

(b) Assessed Commit ID: 32275c7

contracts/src/Ern.sol
contracts/src/RewardsDistributor.sol

Out-of-Scope: Third party dependencies and economic attacks.

Out-of-Scope: New features/implementations after the remediation commit IDs.

4. Findings Overview

Security analysis	Risk level	Remediation
Users Can Front-Run Harvest to Capture Disproportionate Rewards	High	Risk Accepted - 02/19/2026
Users Can Front-Run Allocation Reductions to Claim Full Rewards	Medium	Risk Accepted - 02/19/2026
Harvest Can Be Triggered Even When Time or Yield Conditions Are Not Fully Met	Low	Risk Accepted - 02/19/2026
Missing Input Validation in Constructor Can Cause Silent Deployment Failures	Low	Risk Accepted - 02/19/2026
Additional Deposits Reset Lock and Extend Withdrawal Penalty for Existing Funds	Low	Risk Accepted - 02/19/2026
Harvest Logic Breaks When Reward Token Is the Same as the Underlying Token	Low	Risk Accepted - 02/19/2026
Allocation Reduction Function Silently Ignores Increases Instead of Rejecting Them	Low	Risk Accepted - 02/23/2026
Unused Harvest Cooldown Variable and Error Increase Unnecessary Complexity	Low	Risk Accepted - 02/19/2026
Single-Step Ownership Transfer Increases Risk of Irrecoverable Admin Control Loss	Low	Risk Accepted - 02/23/2026
Configuration Setters Allow Redundant State Updates Without Change	Low	Risk Accepted - 02/23/2026
Allocation Management Functions Ignore Pause State	Low	Risk Accepted - 02/23/2026
Unbounded Loops Can Cause Transactions to Run Out of Gas	Low	Risk Accepted - 02/23/2026
Unused Insufficient Allowance Error Increases Contract Complexity	Informational	Acknowledged - 02/23/2026
View Functions Do Not Validate User Address Inputs	Informational	Acknowledged - 02/23/2026
Repeated Mapping Access in Reward Processing Increases Gas Costs	Informational	Acknowledged - 02/23/2026
Rewards Depend on Manual Harvest Calls and May Never Be Distributed	Informational	Acknowledged - 02/19/2026

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

1. Introduction
2. Assessment summary
3. Scope
4. Findings overview

// Download the full report

Smart Contract Assessment

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

← Back to Audits