Prepared by:
HALBORN
Last Updated 11/14/2025
Date of Engagement: January 2nd, 2025 - January 14th, 2025
100% of all REPORTED Findings have been addressed
All findings
10
Critical
0
High
1
Medium
6
Low
2
Informational
1
InFlux Technologies engaged Halborn to conduct a security assessment on their web application beginning on 01/02/2025 and ending on 01/15/2025. The security assessment was scoped to the source code files provided to the Halborn team.
The team at Halborn was provided one week and a half for the engagement and assigned a full-time security engineer to verify the security of the scoped source code application files. The security engineer is a blockchain and smart contract security expert with advanced penetration testing, smart contract hacking, and deep knowledge of multiple blockchain protocols.
The security assessment identified multiple critical areas requiring attention in the analyzed codebase, involving several issues and misconfigurations that the InFlux Technologies should address to enhance the application's security.
The lack of proper validation for external calls raised concerns about unchecked interactions with third-party contracts, potentially leading to unintended execution of malicious code.
Several medium-severity issues were also observed. The use of predictable salts during contract deployments could expose the system to collision attacks, jeopardizing address uniqueness. Additionally, the default hash function was not clearly specified, which could create inconsistencies or weaken the cryptographic integrity of the system. Sensitive information, including private keys, was potentially being stored within environment variables without sufficient protection, amplifying the risk of unauthorized access. The codebase also relied on third-party dependencies with known vulnerabilities, potentially exposing the entire project to inherited security flaws. Moreover, hardcoded transaction cost parameters may limit flexibility and could be exploited if not carefully controlled.
Furthermore, the absence of public key validation could allow unauthorized entities to submit invalid keys, increasing the likelihood of malicious transactions being accepted.
Lower-risk findings included the presence of insecure methods, which, although not actively used, could become a risk if reintroduced or overlooked in future development cycles.
Some other low severity issues involved cryptographic key handling and transaction integrity. Specifically, the potential reuse of nonces in the Schnorr signature scheme presented a substantial risk of private key leakage, compromising the overall integrity of the signing process.
Finally, an informational observation was also noted regarding the library usage, emphasizing the importance of clearly documenting and maintaining external code integrations.
Overall, while the project demonstrates solid foundations in many areas, these identified issues highlight the need for a more comprehensive approach to input validation, cryptographic hygiene, and dependency management to ensure long-term security and resilience.
It is recommended to resolve all the security issues listed in the document to improve the security health of the application and its underlying infrastructure.
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the penetration test... While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the solution and can quickly identify flaws in it.
The following phases and associated tools were used throughout the term of the assessment:
Research about the scoped source code
Technology stack-specific vulnerabilities and public source code assessment
Vulnerable or outdated software
Exposure of any critical information
Application logic flaws
Access Handling
Authentication / Authorization flaws
Lack of validation on inputs and input handling
Brute force protections
Sensitive information disclosure
Source code review
Critical
0
High
1
Medium
6
Low
2
Informational
1
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| LACK OF EXTERNAL CALLS VALIDATION | High | Risk Accepted - 02/04/2025 |
| PREDICTABLE SALT (COLISSION ATTACK RISK) | Medium | Not Applicable |
| UNSPECIFIED DEFAULT HASH FUNCTION | Medium | Solved - 02/04/2025 |
| SENSITIVE INFORMATION IN ENV VARS | Medium | Risk Accepted - 02/04/2025 |
| VULNERABLE THIRD-PARTY DEPENDENCIES | Medium | Risk Accepted - 02/04/2025 |
| LACK OF KEY VALIDATION | Medium | Solved - 02/04/2025 |
| HARDCODED TRANSACTION COST | Medium | Not Applicable |
| NOT-USED INSECURE METHOD | Low | Risk Accepted - 02/04/2025 |
| POTENTIAL NONCE REUSAGE (KEY LEAKAGE RISK) | Low | Solved - 02/04/2025 |
| LIBRARY USAGE RECOMMENDATION | Informational | Acknowledged - 02/04/2025 |
//High
//Medium
//Medium
//Medium
//Medium
//Medium
//Medium
//Low
//Low
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
InFlux Technologies - Account Abstraction Schnorr Signatures SDK
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
