Prepared by:
HALBORN
Last Updated 01/28/2026
Date of Engagement: December 22nd, 2025 - December 31st, 2025
Summary
100% of all REPORTED Findings have been addressed
All findings
12
Critical
0
High
0
Medium
4
Low
2
Informational
6
Table of Contents
1. Introduction
Creator Bid engaged Halborn to perform a security assessment of their smart contracts from December 22nd, 2025 to December 31st, 2025. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The Creator Bid codebase in scope consists of smart contracts for creating ERC20-based Agent Key tokens, including single-sided liquidity pools, prediction markets, reward distribution, and a time-weighted BID locking NFT system with credit management.
2. Assessment Summary
Halborn was allocated 8 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were partially addressed by the Creator Bid team. The main recommendations are:
To implement a slippage limiter in the exactInOnPool function.Removing _tokenIds inside the burn function.To manage the claim rewards from in the unstaking function explicitly before withdrawing a position.
3. SCOPE
- src/types/TokenAmount.sol
- src/types/AeroPositionDetails.sol
- src/types/InitialPoolConfig.sol
- https://github.com/SN98-ForeverMoney/smart-contracts-foundry/blob/c3d545e6d40d3d84f39782330b1415f0b8d79215/src/aero/AeroCLPoolManager.sol#L197-L251
- 982e18f
- https://github.com/SN98-ForeverMoney/smart-contracts-foundry/blob/c3d545e6d40d3d84f39782330b1415f0b8d79215/src/aero/AeroCLTeamPositionEscrow.sol#L196-L212
- https://github.com/SN98-ForeverMoney/smart-contracts-foundry/blob/c3d545e6d40d3d84f39782330b1415f0b8d79215/src/aero/AeroCLPositionManager.sol#L183
- https://github.com/SN98-ForeverMoney/smart-contracts-foundry/blob/c3d545e6d40d3d84f39782330b1415f0b8d79215/src/aero/AeroCLPositionManager.sol#L578
- 32f2379
- https://github.com/SN98-ForeverMoney/smart-contracts-foundry/blob/c3d545e6d40d3d84f39782330b1415f0b8d79215/src/aero/AeroCLPoolManager.sol#L401
- https://github.com/creatorbid/smart-contracts-foundry/blob/32f2379c559fd4e8cebb45764e7aca82f3392e38/src/LiquidityManager.sol#L372-L381
- https://github.com/creatorbid/smart-contracts-foundry/blob/32f2379c559fd4e8cebb45764e7aca82f3392e38/src/aero/AeroCLPositionManager.sol#L364-L366
- https://github.com/creatorbid/smart-contracts-foundry/blob/32f2379c559fd4e8cebb45764e7aca82f3392e38/src/aero/AeroCLPoolManager.sol#L215
4. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Swaps have no on-chain slippage protection | Medium | Solved - 01/08/2026 |
| Burn operation fails to remove token ID from registry | Medium | Solved - 12/30/2025 |
| Vesting bypass via spot price manipulation | Medium | Solved - 01/08/2026 |
| Staking rewards permanently lost during unstake operation | Medium | Solved - 01/08/2026 |
| Position manager initialization is permissionless | Low | Risk Accepted - 01/09/2026 |
| Non-atomic initialization of fee splitter creates DoS window | Low | Risk Accepted - 01/09/2026 |
| View functions revert on empty sets instead of returning empty values | Informational | Solved - 01/08/2026 |
| Operations on staked positions return unclear errors | Informational | Solved - 01/08/2026 |
| Invalid escrow type values can permanently lock positions | Informational | Solved - 01/08/2026 |
| Direct token transfers to LiquidityManager cannot be withdrawn | Informational | Solved - 01/08/2026 |
| Dangling token approvals in increaseLiquidity | Informational | Solved - 01/08/2026 |
| Misleading comment regarding bytes32 conversion | Informational | Solved - 01/08/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
Forever Money
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed