Prepared by:
HALBORN
Last Updated 02/02/2026
Date of Engagement: December 22nd, 2025 - December 31st, 2025
100% of all REPORTED Findings have been addressed
All findings
12
Critical
0
High
0
Medium
4
Low
2
Informational
6
Forever Money engaged Halborn to perform a security assessment of their smart contracts from December 22nd, 2025 to December 31st, 2025. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The Forever Money codebase in scope consists of smart contracts for Liquidity Escrow Manager Contracts.
Halborn was allocated 8 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were partially addressed by the Forever Money team. The main recommendations are:
To implement a slippage limiter in the exactInOnPool function.
Removing _tokenIds inside the burn function.
To manage the claim rewards from in the unstaking function explicitly before withdrawing a position.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Swaps have no on-chain slippage protection | Medium | Solved - 01/08/2026 |
| Burn operation fails to remove token ID from registry | Medium | Solved - 12/30/2025 |
| Vesting bypass via spot price manipulation | Medium | Solved - 01/08/2026 |
| Staking rewards permanently lost during unstake operation | Medium | Solved - 01/08/2026 |
| Position manager initialization is permissionless | Low | Risk Accepted - 01/09/2026 |
| Non-atomic initialization of fee splitter creates DoS window | Low | Risk Accepted - 01/09/2026 |
| View functions revert on empty sets instead of returning empty values | Informational | Solved - 01/08/2026 |
| Operations on staked positions return unclear errors | Informational | Solved - 01/08/2026 |
| Invalid escrow type values can permanently lock positions | Informational | Solved - 01/08/2026 |
| Direct token transfers to LiquidityManager cannot be withdrawn | Informational | Solved - 01/08/2026 |
| Dangling token approvals in increaseLiquidity | Informational | Solved - 01/08/2026 |
| Misleading comment regarding bytes32 conversion | Informational | Solved - 01/08/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Forever Money
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
