NDD and NDDID Contracts - N3XT

1. INTRODUCTION

N3XT engaged Halborn to perform a security assessment of their smart contracts from March 5th, 2026 to March 6th, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.

The N3XT codebase in scope consists of smart contracts implementing an upgradeable, identity gated ERC20 stable token and a non-transferable ERC721 identity NFT system, featuring role based access control, proxy based upgradeability, and administrative modules for minting, burning, and protocol management.

2. ASSESSMENT SUMMARY

Halborn was allocated 2 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.

The objectives of this assessment are to:

• Identify potential security vulnerabilities within the smart contracts.

• Verify that the smart contract functionality operates as intended.

In summary, Halborn identified several areas for improvement aimed at further strengthening the security posture of the protocol. The findings reported in this assessment were limited to low-severity issues and informational recommendations, primarily related to edge cases, code safety improvements, and best-practice alignment.

Overall, the N3XT codebase demonstrates a solid level of maturity and adherence to established Solidity and EVM security best practices. The smart contracts are well structured, clearly organized, and follow widely adopted design patterns.

Importantly, the assessment did not reveal any systemic architectural flaws or vulnerabilities that would critically impact protocol integrity or lead to loss of funds. The absence of Critical, High, or Medium severity findings suggests a robust initial security posture and indicates that the codebase has undergone thoughtful design and internal review prior to this engagement.

The core architecture appears fundamentally sound, with appropriate safeguards and access control mechanisms in place. Additionally, the implementation reflects a strong awareness of common smart contract risks, including protections against widely known attack vectors such as reentrancy and arithmetic related issues.

To further improve resilience and align with best practices, Halborn recommended implementing the following changes, which were fully addressed by the N3XT team. The key recommendations were:

• Require that _data is non-empty in the proxy constructor, ensuring initialization is always performed atomically at deployment.

• Override approve() and setApprovalForAll() to always revert.

• Replace _mint with _safeMint in the mint function to ensure only EOAs or ERC721-compatible contracts can receive identity NFTs.

3. TEST APPROACH AND METHODOLODY

Halborn conducted a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy within the scope of this assessment. While manual testing is crucial for identifying flaws in logic, processes, and implementation, automated testing enhances coverage of smart contracts and quickly detects deviations from established security best practices.

The following phases and associated tools were employed throughout the term of the assessment:

• Research into the platform's architecture, purpose and use.

• Manual code review and walkthrough of smart contracts to identify any logical issues.

• Comprehensive assessment of the safety and usage of critical Solidity variables and functions within scope that could lead to arithmetic-related vulnerabilities.

• Local testing using custom scripts (Foundry).

• Fork testing against main networks (Foundry).

• Static security analysis of scoped contracts, and imported functions (Slither).