Core V2 - IP.World

1. Introduction

IPWorld engaged Halborn to conduct a security assessment of their smart contracts starting at July 1st, 2025 and ending on July 7th, 2025. The security assessment was scoped to the smart contracts provided in the ipdotworld/core Github repository provided to Halborn. Further details can be found in the Scope section of this report.

2. Assessment Summary

Halborn was provided 5 (five) days for the engagement, and assigned one full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the smart contracts.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the IPWorld team. The main ones were the following: 

• Initialize nextTick prior to entering the harvest loop to prevent startTick corruption and ensure proper fee collection.

• Create vesting schedule immediately when prerequisites are met, independent of WETH collection to prevent permanent blocking.

• Clamp tick bounds within repositionBidWall() to prevent TickMath reverts and harvest denial-of-service attacks.

• Accept user-defined deadline parameters in liquidity operations to restore slippage protection against MEV attacks.

• Rename V2 initializer to initializeV2 and protect with reinitializer(2) modifier to enable proper proxy upgrades.

• Remove base initializers from reinitializer functions to prevent "already initialized" reverts during upgrades.

• Use call() without gas limits for ETH transfers to ensure compatibility with smart contract wallets.

• Add missing safety guards to claimToken() including array length validation and SafeERC20 usage.

• Add fee-share sum validation in constructor to prevent treasury calculation underflows and harvest reverts.

3. Caveats

The Operator role has extensive control over both data and funds within the IPWorld system. Since it is assumed to be a trusted role, risks and findings specifically tied to it were not included in this report. However, Halborn strongly recommends that the IPWorld team handle all private keys, including the Operator key, with the highest level of security and operational caution.