Prepared by:
HALBORN
Last Updated 07/25/2025
Date of Engagement: July 1st, 2025 - July 7th, 2025
100% of all REPORTED Findings have been addressed
All findings
14
Critical
1
High
1
Medium
4
Low
4
Informational
4
IPWorld engaged Halborn to conduct a security assessment of their smart contracts starting at July 1st, 2025 and ending on July 7th, 2025. The security assessment was scoped to the smart contracts provided in the ipdotworld/core Github repository provided to Halborn. Further details can be found in the Scope section of this report.
Halborn was provided 5 (five) days for the engagement, and assigned one full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.
The purpose of the assessment is to:
Identify potential security issues within the smart contracts.
Ensure that smart contract functionality operates as intended.
In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the IPWorld team. The main ones were the following:
Initialize nextTick prior to entering the harvest loop to prevent startTick corruption and ensure proper fee collection.
Create vesting schedule immediately when prerequisites are met, independent of WETH collection to prevent permanent blocking.
Clamp tick bounds within repositionBidWall() to prevent TickMath reverts and harvest denial-of-service attacks.
Accept user-defined deadline parameters in liquidity operations to restore slippage protection against MEV attacks.
Rename V2 initializer to initializeV2 and protect with reinitializer(2) modifier to enable proper proxy upgrades.
Remove base initializers from reinitializer functions to prevent "already initialized" reverts during upgrades.
Use call() without gas limits for ETH transfers to ensure compatibility with smart contract wallets.
Add missing safety guards to claimToken() including array length validation and SafeERC20 usage.
Add fee-share sum validation in constructor to prevent treasury calculation underflows and harvest reverts.
The Operator role has extensive control over both data and funds within the IPWorld system. Since it is assumed to be a trusted role, risks and findings specifically tied to it were not included in this report. However, Halborn strongly recommends that the IPWorld team handle all private keys, including the Operator key, with the highest level of security and operational caution.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Incorrect Tick-Segment Search Yields Zero-Fee Harvests | Critical | Solved - 07/10/2025 |
| Zero-WETH Harvest & Single-Range Deployment Can Permanently Block Vesting | High | Solved - 07/10/2025 |
| Extreme-Tick Bid-Wall Repositioning Can Cause harvest DoS | Medium | Solved - 07/12/2025 |
| Uncallable Initializer in IPOwnerVault | Medium | Solved - 07/10/2025 |
| Repeating Base Initializers in Re-Initializer Will Revert | Medium | Solved - 07/10/2025 |
| Harvest fails for old tokens without repositionBidWall() function | Medium | Solved - 07/22/2025 |
| Hard-Coded deadline Nullifies Slippage Protection | Low | Solved - 07/10/2025 |
| Operator-Only claimToken() Is Unused | Low | Solved - 07/10/2025 |
| Fixed-Gas ETH Transfer May Revert for Smart-Contract Wallets | Low | Solved - 07/10/2025 |
| Fee-Share Sum Not Bounded | Low | Solved - 07/10/2025 |
| claimIp() Lacks Basic Validation | Informational | Solved - 07/23/2025 |
| setExpectedSigner Accepts Zero Address | Informational | Solved - 07/10/2025 |
| Unchecked Increments Could Save Gas | Informational | Acknowledged - 07/10/2025 |
| TODO Markers Indicating Incomplete Features | Informational | Solved - 07/23/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Core V2
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
