Kickoff Protocol Contracts - Kickoff.fun

1. INTRODUCTION

Kickoff.fun engaged Halborn to conduct a security assessment on their smart contracts beginning on January 6th, 2026 and ending on January 9th, 2026. The security assessment was scoped to the smart contracts provided in the kickoff-contracts GitHub repository, provided to the Halborn team. Commit hash and further details can be found in the Scope section of this report.

The reviewed contracts implement a liquidity bootstrapping launchpad built on Aerodrome’s veAERO voting system. veAERO holders temporarily lock NFTs to direct gauge votes, after which rewards are claimed, swapped, and used to create permanently locked liquidity, while participants receive project tokens proportionally.

2. ASSESSMENT SUMMARY

Halborn was provided with 4 days for this engagement and assigned a full-time security engineer to assess the security of the smart contracts in scope. The assigned engineer possesses deep expertise in blockchain and smart contract security, including hands-on experience with multiple blockchain protocols.

The objective of this assessment is to:

• Identify potential security issues within the Kickoff.fun protocol smart contracts.

• Ensure that smart contract of ````Kickoff.fun protocol functions operate as intended.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were mostly addressed by the Kickoff.fun team. The main recommendations were:

• Handle batch voting failures at the per‑NFT level to avoid single-point batch failures.

• Require pool activation to be aligned with Aerodrome's epoch start.

• Design liquidity finalization to safely handle pre‑existing pool state.

• Provide a defined path for zero‑participant scenario to avoid project tokens becoming stranded in the pool.

• Implement meaningful slippage protection when swapping reward tokens.

3. TEST APPROACH AND METHODOLOGY

Halborn performed a combination of manual review of the code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the smart contract assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of smart contracts and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

• Research into the architecture and purpose of the Kickoff.fun protocol.

• Manual code review and walkthrough of the Kickoff.fun in-scope contracts.

• Manual assessment of critical Solidity variables and functions to identify potential vulnerability classes.

• Manual testing using custom scripts.

• Static Analysis of security for scoped contract, and imported functions. (Slither).

• Local deployment and testing with (Foundry, Remix IDE).