Prepared by:
HALBORN
Last Updated 10/21/2025
Date of Engagement: September 22nd, 2025 - September 25th, 2025
100% of all REPORTED Findings have been addressed
All findings
6
Critical
0
High
0
Medium
0
Low
1
Informational
5
Kite AI engaged Halborn to conduct a security assessment on their smart contracts beginning on September 22, 2025 and ending on September 25, 2025. The security assessment was scoped to the smart contracts provided to Halborn. Commit hashes and further details can be found in the Scope section of this report.
Kite AI allows users to create subnets of account abstracted wallets, and the repository also feature an airdrop contract.
Halborn was provided with 4 days for this engagement and assigned 1 full-time security engineer to review the security of the smart contracts in scope. The assigned engineer possess deep expertise in blockchain and smart contract security, including hands-on experience with multiple blockchain protocols.
The objectives of this assessment were to:
Identify potential security vulnerabilities within the smart contracts.
Ensure that the smart contracts function as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were mostly addressed by the Kite AI team. The main ones were:
Check return values for ERC20 transfers.
Ensure deadlines are validated against the current block timestamp to prevent setting expired values.
Use safe token transfer methods to ensure compatibility across ERC20 implementations.
Avoid emitting redundant events and rely on standardized events to reduce log duplication and confusion.
Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.
The following phases and associated tools were used throughout the term of the assessment:
Research into the architecture and purpose of the smart contracts.
Manual code review and walkthrough of the smart contracts.
Manual assessment of critical Solidity variables and functions to identify potential vulnerability classes.
Manual testing using custom scripts.
Static security analysis of the scoped contracts and imported functions.
Local deployment and testing with Foundry & Hardhat.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
1
Informational
5
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Subnets can resassign any user to any subnet or arbitrary address | Low | Solved - 10/08/2025 |
| Insufficient validation on airdrop claim deadline | Informational | Solved - 10/16/2025 |
| Missing two step process for ownership transfer | Informational | Acknowledged - 10/17/2025 |
| Duplicate event emission in pause/unpause functions | Informational | Solved - 10/17/2025 |
| Unchecked ERC20 transfer return value | Informational | Acknowledged - 10/09/2025 |
| Unsafe token transfer pattern during airdrop claim | Informational | Acknowledged - 10/17/2025 |
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
GoKite Contracts
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
