Prepared by:
HALBORN
Last Updated 02/13/2026
Date of Engagement: February 3rd, 2026 - February 11th, 2026
100% of all REPORTED Findings have been addressed
All findings
41
Critical
0
High
1
Medium
2
Low
20
Informational
18
KickOff.fun engaged Halborn to perform a security assessment of their smart contracts from February 3rd, 2026 to February 11th, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The KickOff.fun codebase in scope consists smart contracts that act as a liquidity bootstrapping launchpad that leverages Aerodrome's veAERO governance on the Base network.
Halborn was allocated 7 days for this engagement and assigned 2 full-time security engineers to conduct a comprehensive review of the smart contracts within scope. The engineers are experts in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were partially addressed by the KickOff.fun team. The main recommendations are:
Implement robust autopilot claim validation to prevent double benefits and ensure correct allocation on claim failures.
Restrict pool initialization to supported tick ranges to prevent tail-tick setups that bypass price fixing and brick liquidity addition.
Add post-swap price verification to ensure the intended price correction is achieved and prevent silent arbitrage failures.
Disallow interactions with pre-created slipstream pools to prevent permanent denial-of-service scenarios.
Synchronize batch indexing during emergency operations to ensure all NFTs are processed without being skipped.
Track and isolate protocol-owned USDC balances to prevent unintended inclusion in final swap calculations.
Apply dust deductions only when price correction occurs to prevent unnecessary liquidity reduction.
Fix reward accounting during USDC–WETH conversions to prevent balance-donation griefing and reward manipulation.
Halborn conducted a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy within the scope of this assessment. While manual testing is crucial for identifying flaws in logic, processes, and implementation, automated testing enhances coverage of smart contracts and quickly detects deviations from established security best practices.
The following phases and associated tools were employed throughout the term of the assessment:
Research into the platform's architecture, purpose and use.
Manual code review and walkthrough of smart contracts to identify any logical issues.
Comprehensive assessment of the safety and usage of critical Solidity variables and functions within scope that could lead to arithmetic-related vulnerabilities.
Local testing using custom scripts (Foundry).
Fork testing against main networks (Foundry).
Static security analysis of scoped contracts, and imported functions (Slither).
| Security analysis | Risk level | Remediation |
|---|---|---|
| Missing post-swap price verification may allow silent arbitrage failure | High | Solved - 02/10/2026 |
| Double Benefit & incorrect allocation via autopilot claim failure | Medium | Risk Accepted - 02/09/2026 |
| CLPriceArbitrageur Tail Zone - Residual DoS via Attacker Liquidity | Medium | Solved - 02/13/2026 |
| Pool can be initialized at tail ticks that cannot be covered by tickSpacing=200 positions, permanently bypassing price-fix and bricking liquidity addition | Low | Solved - 02/10/2026 |
| Permanent Denial of Service (DoS) via Pre-created Slipstream Pool | Low | Solved - 02/09/2026 |
| Untracked USDC Balance Can Be Incorrectly Included in Final Swap | Low | Risk Accepted - 02/09/2026 |
| Incorrect reward accounting allows balance-donation griefing during USDC - WETH conversion | Low | Risk Accepted - 02/10/2026 |
| Ineffective Allowance Reset After Slipstream Position Mint | Low | Risk Accepted - 02/09/2026 |
| Defensive Zero-Amount Check Unreachable in _calculateSqrtPriceX96 | Low | Risk Accepted - 02/09/2026 |
| Unnecessary Balance Delta Check for Non–Fee-on-Transfer Project Tokens | Low | Risk Accepted - 02/09/2026 |
| Liquidity amounts reduced by dust even when price correction is skipped | Low | Solved - 02/10/2026 |
| Repeated fee claims can permanently lose rounding-dust fees | Low | Risk Accepted - 02/10/2026 |
| Deadlock in cancelPool via Autopilot Dependency | Low | Risk Accepted - 02/09/2026 |
| Admin-only rescueTokens allows Arbitrary Withdrawal (Rug Vector) | Low | Not Applicable - 02/10/2026 |
| Zombie User Lock on Dust Tokens | Low | Risk Accepted - 02/09/2026 |
| Incompatible ERC20 Transfer (No Bool) / ABI Decode | Low | Solved - 02/10/2026 |
| No Rescue Mechanism for Locked CL Positions | Low | Not Applicable - 02/11/2026 |
| Potential Unbounded Loop in emergencyWithdrawAllNFTs | Low | Solved - 02/10/2026 |
| Reentrancy Risk in Admin Functions | Low | Not Applicable - 02/10/2026 |
| lockVeAERO() may revert due to missing ownership/operator rights on veNFT | Low | Solved - 02/10/2026 |
| Edge-case: Incorrect spent-token subtraction can cause liquidity mint to revert | Low | Solved - 02/11/2026 |
| fixPoolPrice() refund/spend accounting is affected by external donations to CLPriceArbitrageur | Low | Solved - 02/11/2026 |
| Unvalidated Autopilot Epoch Timestamps (DoS Risk) | Low | Risk Accepted - 02/11/2026 |
| Missing Input Validation for batchSize in startClaimRewardsFromAutopilot | Informational | Acknowledged - 02/09/2026 |
| FinalizeStep Enum and State Variable Defined After Usage | Informational | Acknowledged - 02/09/2026 |
| Hardcoded Base Integration Addresses Ignore Factory Configuration | Informational | Acknowledged - 02/09/2026 |
| AutopilotRewardsClaimed Event Emits Misleading Zero Amount | Informational | Acknowledged - 02/09/2026 |
| ERC20.approve(0) pattern may cause token incompatibility | Informational | Acknowledged - 02/10/2026 |
| Missing pool existence check in LPLocker.getLockedLP() | Informational | Acknowledged - 02/10/2026 |
| Unused Custom Errors | Informational | Acknowledged - 02/10/2026 |
| LPLocker Deployer-only setFactory Privilege (Supply Chain) | Informational | Acknowledged - 02/10/2026 |
| MEV Theft via Sandwich Attack on Reward Conversion | Informational | Acknowledged - 02/10/2026 |
| Batch Index Desynchronization Causes Skipping of NFTs During Emergency Operations | Informational | Solved - 02/09/2026 |
| Unfair Token Distribution via Emergency Withdraw | Informational | Solved - 02/10/2026 |
| Unnecessary Locking Deadline Validation in lockVeAERO | Informational | Acknowledged - 02/09/2026 |
| wethCollected Storage Variable Used Solely for Event Emission | Informational | Acknowledged - 02/09/2026 |
| Redundant batchInProgress Check in completeAutopilotFinalization | Informational | Acknowledged - 02/09/2026 |
| Unnecessary Storage Reference in retryAutopilotWithdraw Loop | Informational | Acknowledged - 02/09/2026 |
| Unused Constant MIN_AUTOPILOT_VOTING_POWER | Informational | Acknowledged - 02/09/2026 |
| Fixed DUST_AMOUNT is not token-aware and may be insufficient | Informational | Acknowledged - 02/10/2026 |
| WETH donations pollute totalClaimedRewards accounting during finalization | Informational | Acknowledged - 02/10/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Smart Contract Assessment
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
