Prepared by:
HALBORN
Last Updated 11/12/2025
Date of Engagement: August 6th, 2025 - August 6th, 2025
100% of all REPORTED Findings have been addressed
All findings
5
Critical
0
High
0
Medium
0
Low
3
Informational
2
FortunaFi engaged Halborn to conduct a security assessment of their smart contract on August 6th, 2025. The scope of this assessment was limited to the smart contracts provided to the Halborn team. Commit hashes and additional details are documented in the Scope section of this report.
The Halborn team dedicated a total of one day to this engagement, deploying one full-time security engineer to evaluate the smart contract’s security posture.
The assigned security engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing, smart contract exploitation, and a comprehensive understanding of multiple blockchain protocols.
The objectives of this assessment were to:
Verify that the smart contract functions operate as intended.
Identify potential security vulnerabilities within the smart contracts.
In summary, Halborn identified a limited number of issues that were acknowledged by the FortunaFi team. The key recommendations included:
Restrict access to the refill() function to prevent unauthorized or malicious usage.
Prevent arithmetic underflow in _maxRebalance() caused by unsafe decimal scaling operations.
Add zero address validation to the contract constructor to avoid deployment with an unusable admin account.
Implement input validation in rebalance() to reject zero-amount operations and avoid unnecessary gas costs.
Halborn employed a combination of manual, semi-automated, and automated security testing methods to ensure effectiveness, efficiency, and accuracy within the scope of this assessment. Manual testing was vital for uncovering issues related to logic, processes, and implementation details, while automated techniques enhanced code coverage and helped identify deviations from security best practices. The assessment involved the following phases and tools:
Research into the architecture and purpose of the smart contracts.
Manual review and walkthrough of the smart contract code.
Manual evaluation of critical Solidity variables and functions to identify potential vulnerability classes.
Manual testing using custom scripts.
Static security analysis of the scoped contracts and imported functions utilizing Slither.
Local deployment and testing with Foundry.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
3
Informational
2
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Missing Access Control on Refill Function | Low | Risk Accepted - 11/05/2025 |
| Decimal Scaling Arithmetic Underflow | Low | Risk Accepted - 11/05/2025 |
| Constructor Accepts Zero Address Admin | Low | Risk Accepted - 11/05/2025 |
| Multiple PSMs with Same Token Causes Data Corruption | Informational | Acknowledged - 11/05/2025 |
| Missing Zero Amount Validation | Informational | Acknowledged - 11/05/2025 |
//Low
//Low
//Low
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Rebalance Contract
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
