Prepared by:
HALBORN
Last Updated 07/21/2025
Date of Engagement: July 4th, 2025 - July 4th, 2025
100% of all REPORTED Findings have been addressed
All findings
2
Critical
0
High
0
Medium
0
Low
1
Informational
1
OpenEden engaged Halborn to conduct a security assessment of their smart contracts, beginning and concluding on July 4th, 2025. The scope of the assessment was limited to the smart contracts provided in the OpenEdenHQ/usdo.tge.audit GitHub repository supplied to Halborn. Additional details can be found in the Scope section of this report.
Halborn was allocated one day for this engagement and assigned one full-time security engineer to review the in-scope smart contracts. The engineer is a blockchain and smart contract security specialist with advanced skills in penetration testing and smart contract auditing, possessing deep expertise across multiple blockchain protocols.
The objectives of the assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that smart contract functionality operates as intended.
In summary, Halborn identified several improvements to mitigate the likelihood and impact of potential risks, which were partially addressed by the OpenEden team. The key recommendations are as follows:
Modify the deposit condition to >= unlockTime to prevent deposits at the exact unlock timestamp, thereby ensuring clearer lock semantics.
Use the exact duration in seconds or explicitly document the 30-day month approximation to set accurate user expectations regarding unlock timing.
The commit 5961045, which introduces the new feature, phased distribution of forfeited tokens between stability mechanisms and treasury management, is outside the scope of this assessment.
Halborn employed a combination of manual, semi-automated, and automated security testing methodologies to ensure thoroughness, efficiency, and accuracy within the scope of this assessment. Manual testing is essential for uncovering vulnerabilities related to logic, process, and implementation, while automated tools enhance code coverage and quickly identify deviations from security best practices. The assessment comprised the following phases and tools:
Research into the architecture and purpose of the smart contracts.
Manual review and walkthrough of the smart contract code.
Manual evaluation of critical Solidity variables and functions to identify potential vulnerability classes.
Manual testing utilizing custom scripts.
Static security analysis of the scoped contracts and imported functions using Slither.
Local deployment and testing with Foundry.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
0
Low
1
Informational
1
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Deposit allowed at exact unlock timestamp | Low | Solved - 07/11/2025 |
| Lock-period “month” approximation | Informational | Acknowledged - 07/16/2025 |
//Low
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Stability Vault
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
