Prepared by:
HALBORN
Last Updated 03/25/2026
Date of Engagement: March 10th, 2026 - March 12th, 2026
100% of all REPORTED Findings have been addressed
All findings
6
Critical
0
High
0
Medium
0
Low
0
Informational
6
Fathom engaged Halborn to conduct a security assessment on their smart contracts beginning on March 10th, 2026 and ending on March 12th, 2026. The security assessment was scoped to the smart contracts provided in the Fathom-Fi/fathom-lending-platform-smart-contracts Github repository, provided to the Halborn team. Commit hash and further details can be found in the Scope section of this report.
The review is an equivalence attestation assessing whether Fathom smart contracts are functionally identical to Aave v3.0.2 reference implementation, except for documented and intentional deviations. Additionally, the assessment covers whether the deployed on-chain bytecode matches the audited source, and whether known Aave v3.0.2 limitations apply to the Fathom deployment.
Halborn was provided with 3 days for this engagement and assigned a full-time security engineer to assess the security of the smart contracts in scope. The assigned engineer possess deep expertise in blockchain and smart contract security, including hands-on experience with multiple blockchain protocols.
The objective of this assessment is to:
Confirm that Fathom's smart contracts are equivalent to Aave v3.0.2 reference implementation, except for documented deviations.
Assess the security implications of all identified deviations from Aave v3.0.2.
Verify that deployed on-chain bytecode matches the audited source code.
Fathom is substantially equivalent to Aave v3.0.2 with a small set of intentional, low-risk deviations. Two known Aave v3.0.2 limitations were assessed for applicability. Bytecode verification was performed for all deployed contracts, with several contracts found to be unverified on XDCScan and discrepancies identified between SPDX license identifiers in the XDCScan-submitted source and the audited repository.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were partially addressed by the Fathom team. The main ones were the following:
Restrict future reserve listings to low-risk decimal/price combinations and monitor Aave v3.5 for the upstream rounding vulnerability fix.
Document or remediate the behavior of the inherited eMode liquidation limitation.
Document or remediate the supported asset decimal ranges to prevent future misconfigurations that could expose the protocol to share inflation attacks.
Submit source code for all unverified contracts to XDCScan.
Resubmit source for affected contracts with the correct SPDX license identifier matching the audited commit.
Confirm XDC feed provider heartbeat guarantees and implement off-chain monitoring for oracle staleness equivalent to Aave's approach.
This assessment is scoped exclusively to the equivalence between Fathom smart contracts at commit 91574f41 and Aave v3.0.2 reference implementation. It is not a full-scope security audit of the Fathom codebase. All protocol components that are identical to Aave v3.0.2 are treated as inheriting the security properties of that reference implementation, and are not re-audited as part of this engagement.
The equivalence assessment covers: identified deviations between Fathom and Aave v3.0.2, the security implications of those deviations and deployed bytecode verification. Interactions between unchanged components, broader business logic, and off-chain systems are outside the scope of this assessment.
Halborn performed a combination of manual diff analysis, code review, and bytecode verification to assess the equivalence of Fathom against Aave v3.0.2 reference implementation.
The following phases were undertaken throughout the assessment:
Research into Aave v3.0.2 architecture and Fathom 's intended deviations from it.
Automated diff analysis between Fathom repository and Aave v3.0.2 reference codebase to systematically identify all deviations across in-scope contracts.
Manual code review of all identified deviations to assess functional equivalence and security implications.
Bytecode verification of all deployed contracts against on-chain records via XDCScan.
The following contracts were verified on XDC Mainnet as part of the bytecode verification phase. Contracts marked as "Exact Match" were confirmed via XDCScan source verification. Contracts marked as "Unverified" were not source-verified on XDCScan and were instead verified by Halborn via local compilation and bytecode comparison against the audited source at commit 91574f41, with observed differences limited to expected deployment-time artifacts. Note that for several contracts, the SPDX license identifier in the XDCScan-submitted source differs from the audited repository, see findings for details.Pool-Proxy: 0x70d8005E3c8C7e383FE35Fa40156042F3393449F, Exact Match.
Pool-Implementation: 0x5c756ACD4Cb26a9cA6De7abF9765cE84B5Be9322, Exact Match*.
PoolConfigurator-Proxy: 0x56f3A75C71C207a77c3b8c77a34FC89cF1a6DB66, Exact Match.
PoolConfigurator-Implementation: 0xE6525d46ADc3Cd5AF2CfA322504A7C17F8445c8D, Unverified.
PoolAddressesProvider: 0x37ab83e6a9B99DA3eAF00D1afdC45f50ee7625E5, Exact Match*.
ProtocolDataProvider: 0x7fa488a5C88E9E35B0B86127Ec76B0c1F0933191, Exact Match*.
FathomOracle: 0x54348d953Abc4f167cbdeDe648095c1aF7DE355A, Exact Match*.
ACLManager: 0xf73e7d6309A2DaDE5B698eD33dA929d2F2281526, Exact Match*.
SupplyLogic: 0xA8f477530036cF1391E5A76A723635be7b28Eff3, Exact Match*.
BorrowLogic: 0x602d170366C4c14c855BAa051A35Ee318564343A, Exact Match*.
LiquidationLogic: 0xdf816BB3a1415B4b88365D6Ecb5Fcc52A7ee7729, Exact Match*.
EModeLogic: 0x1240f345449Ee3293FEAE9E3e3FbcCe1589e9160, Unverified.
FlashLoanLogic: 0x57023484830D90027E33e37Abc301A89e1318B30, Unverified.
BridgeLogic: 0x00C1B7ce7703beD7e115833a6c2DbcFeD887a4f1, Unverified.
ConfiguratorLogic: 0x373E40f30e7a2CcFfe22fA1926bD71284332a2B9, Unverified.
PoolLogic: 0x8c2cf73fB553d9a8a8Dc34A6B5e6078FC023c34F, Unverified.
FmToken: 0x5271D2bC5F2deCbF7124DA2349cc88E6Aa039364, Unverified.
StableDebtToken: 0x80e2eA68DB630660eFCa18780F24587967F3071B, Unverified.
VariableDebtToken: 0xfaA128B457FC7cBF9763A7Be66bF89662d9777FF, Unverified.
PoolAddressesProviderRegistry: 0xDAb3B99eb3569466750c436d6F4c99d57850Cc89, Unverified.
DelegationAwareFmToken: 0x479025c4a038E4028cED41178DC737377Df55278, Unverified.
ReservesSetupHelper: 0xF3A4c44D7aEF5e0648DAFd1448dFAe9933aF8F4d, Unverified.EmissionManager: 0x049F146A33a16e454f3BE28bb0bc18c12C96a894, Unverified.
WrappedTokenGatewayV3: 0x57Ba8bAA7c3Ff6606751859f1CED9f68819C2f41, Exact Match.
WalletBalanceProvider: 0x7C724DEaD5012Eb4C9e2d1529cF0353e767C82Cd, Exact Match.
UiIncentiveDataProviderV3: 0xA69c5468Aa4ab263a250fD9dA4322e58370F2bB2, Unverified.
UiPoolDataProviderV3: 0x5f7001B6Dc957dC5B2F78f0BC3aFbFc1fE628A18, Exact Match.
*Exact Match on XDCScan but SPDX license identifier in submitted source differs from audited repository.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
0
Informational
6
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Rounding vulnerability in supply/withdraw cycles allows extraction of underlying tokens from low-decimal high-value reserves | Informational | Acknowledged - 03/14/2026 |
| Inherited eMode liquidation uses wrong debt price source when debt asset is removed from eMode category | Informational | Acknowledged - 03/14/2026 |
| Absence of documentation on supported asset decimal ranges | Informational | Solved - 03/14/2026 |
| Several contracts are not source-verified on XDCScan | Informational | Solved - 03/22/2026 |
| SPDX license identifier mismatch between deployed and audited source | Informational | Solved - 03/14/2026 |
| Oracle staleness protection relies on feed provider guarantees and Off-Chain monitoring | Informational | Acknowledged - 03/14/2026 |
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Formal Verification
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
