AI Advisory
Strategic guidance for secure AI adoption
Prepared by:
HALBORN
Last Updated 06/10/2026
Date of Engagement: May 22nd, 2026 - May 29th, 2026
100% of all REPORTED Findings have been addressed
All findings
25
Critical
0
High
0
Medium
2
Low
6
Informational
17
Monetari engaged Halborn to perform a security assessment of their smart contracts from May 22nd, 2026 to May 29th, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The Monetari codebase in scope consists of smart contracts for a tokenized physical gold system (KGOLD) including an ERC-20 token representing grams of gold, a marketplace for buy/sell requests with KYC verification and dynamic gold-to-USDT pricing, a treasury for USDT custody, and administrative controls with dual-key pause/unpause and asset freeze mechanisms.
Halborn was allocated 6 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were partially addressed by the Monetari team. The main recommendations were:
Consider re-reading the oracle inside _settlePurchase() and _settleSell() and recomputing goldOut or totalReceived against the fresh price, while preserving the user's original minGoldOut or minTotalReceived as a floor and introducing a complementary maxGoldOut or maxTotalReceived cap captured at request time.
Consider adding a symmetric release path that decrements the same three per-user counters when a request ends without settlement, parameterized by the original request's createdAt and the value to release.
Consider lowering the upper bound on the confidence-ratio setter to a value that preserves the gate's intended function, a ceiling somewhere between five hundred and two thousand basis points keeps room for legitimate operational tuning while preventing the gate from being effectively disabled.
Halborn conducted a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy within the scope of this assessment. While manual testing is crucial for identifying flaws in logic, processes, and implementation, automated testing enhances coverage of smart contracts and quickly detects deviations from established security best practices.
The following phases and associated tools were employed throughout the term of the assessment:
Research into the platform's architecture, purpose and use.
Manual code review and walkthrough of smart contracts to identify any logical issues.
Comprehensive assessment of the safety and usage of critical Solidity variables and functions within scope that could lead to arithmetic-related vulnerabilities.
Local testing using custom scripts (Foundry).
Fork testing against main networks (Foundry).
Static security analysis of scoped contracts, and imported functions (Slither).
| Security analysis | Risk level | Remediation |
|---|---|---|
| Stored request-time pricing and zero-cost claimExpired path create a free option on gold price in KulceGoldMarket | Medium | Risk Accepted - 06/07/2026 |
| Per-user buy and sell rate-limit counters never release on cancellation or expired-claim, draining quota without realized trades | Medium | Solved - 06/04/2026 |
| Confidence-ratio setter upper bound disables the price safety gate and reverts every sell at the boundary | Low | Solved - 06/04/2026 |
| Trade settlement does not re-check KYC, delivering KGOLD to buyers and USDT to sellers whose approval was revoked between request and settle | Low | Partially Solved - 06/04/2026 |
| Escrowed purchases can fail due to unreserved supply cap | Low | Risk Accepted - 06/07/2026 |
| Purchase escrow can be trapped while KGOLD is paused | Low | Solved - 06/04/2026 |
| Inconsistent per-tx limits can brick trading | Low | Solved - 06/04/2026 |
| Human settler can override expired refunds after timeout | Low | Risk Accepted - 06/07/2026 |
| Treasury withdraw() Has No Minimum Reserve Check Against Pending Sell Obligations | Informational | Acknowledged - 06/07/2026 |
| Epoch-Aligned Time Bucket Design Allows AML Spend Limit Double-Spend at Period Boundaries | Informational | Acknowledged - 06/07/2026 |
| Insufficient mulPow Bound in _scaleTo8Floor/_scaleTo8Ceil Allows Arithmetic Overflow Revert DoS on Oracle Adapter | Informational | Solved - 06/04/2026 |
| Asymmetric pause in KYCRegistry: approvals blocked but revocations allowed, pausing effectively freezes all market trading | Informational | Solved - 06/04/2026 |
| Front-Running Freeze Transactions to Transfer KGOLD Tokens Before Asset Protection Takes Effect | Informational | Acknowledged - 06/07/2026 |
| Sell-side trading can be disabled by a 100% spread | Informational | Solved - 06/04/2026 |
| No Upper Bound on maxAgeSeconds in Oracle Adapter Allows Stale Gold Prices | Informational | Solved - 06/05/2026 |
| Treasury Pauser Role Asymmetrically Blocks All Sell Settlements While Purchases Continue Unaffected | Informational | Solved - 06/05/2026 |
| USDT Blacklisting of feeCollector Permanently Blocks All Settlements | Informational | Solved - 06/05/2026 |
| AssetProtector Can Freeze Market Contract Address, Permanently Blocking All Sell Settlements | Informational | Solved - 06/07/2026 |
| wipeFrozenAddress Is Blocked When Token Is Paused Due to whenNotPaused in _update Hook | Informational | Solved - 06/07/2026 |
| Immutable Admin in Custom Proxy Prevents ProxyAdmin Rotation, Creating Permanent Upgrade Lock Risk | Informational | Acknowledged - 06/08/2026 |
| KYC check on expired-request refund path permanently traps funds of de-KYC'd users | Informational | Acknowledged - 06/07/2026 |
| EIP-712 permit() Bypasses Frozen Account Restriction — Pre-Signed Permits Valid After Account Freeze | Informational | Solved - 06/07/2026 |
| Non-ERC-7201-Compliant Storage Slot Calculation in KulceGoldMarketStorage | Informational | Solved - 06/07/2026 |
| cancelPurchase and cancelSell emit RequestRejected instead of RequestCancelled, breaking off-chain monitoring | Informational | Solved - 06/07/2026 |
| Front-Running KYC Revocation to Submit Last-Minute Gold Trades Before De-KYC Takes Effect | Informational | Acknowledged - 06/07/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Smart Contract Assessment
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
