Prepared by:
HALBORN
Last Updated 08/26/2025
Date of Engagement: June 30th, 2025 - July 30th, 2025
100% of all REPORTED Findings have been addressed
All findings
19
Critical
0
High
0
Medium
1
Low
5
Informational
13
Oroswap engaged Halborn to conduct a security assessment on their smart contracts beginning on June 30th, 2025 and ending on July 30th, 2025. The security assessment was scoped to the smart contracts provided to Halborn. Commit hashes and further details can be found in the Scope section of this report.
Halborn was provided with 4 weeks for this engagement and assigned 2 security engineers to review the security of the smart contracts in scope. The assigned engineers possess deep expertise in blockchain and smart contract security, including hands-on experience with multiple blockchain protocols.
The objectives of this assessment were to:
Identify potential security vulnerabilities within the smart contracts.
Ensure that the smart contracts function as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were mostly addressed by the Oroswap team. The main ones were:
Restrict collect to an authorised role or enforce an internal minimum limit per asset.
Cap the number of future schedules per pool or token.
Apply length-prefix encoding to each AssetInfo.as_bytes().
Store new decimal registrations as pending and require explicit owner approval.
Enforce that governance_cut + second_receiver_cut + dev_fund_cut ≤ 100%.
Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the custom modules. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of structures and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the assessment :
Research into architecture and purpose.
Static Analysis of security for scoped repository, and imported functions.
Manual Assessment for discovering security vulnerabilities on the codebase.
Ensuring the correctness of the codebase.
Dynamic Analysis of files and modules in scope.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
0
Medium
1
Low
5
Informational
13
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Permissionless “Collect” enables fee-harvest griefing | Medium | Solved - 08/06/2025 |
| Unbounded external-schedule spam could enable gas DoS | Low | Solved - 08/12/2025 |
| Pair keys can collide | Low | Solved - 08/11/2025 |
| Initial stake penalises first user | Low | Solved - 08/15/2025 |
| Burning small xORO amounts can result in no redemption | Low | Solved - 08/15/2025 |
| Over-allocation revert distribution due to wrong fees percentages | Low | Solved - 08/12/2025 |
| Permissionless decimal spoofing | Informational | Acknowledged - 08/17/2025 |
| Missing guard against stale pending operation | Informational | Solved - 08/25/2025 |
| Owner can confiscate future reward tokens | Informational | Solved - 08/15/2025 |
| Missing balance validation when bypassing amount check | Informational | Solved - 08/15/2025 |
| Schedule-limit bypass via improper length check | Informational | Solved - 08/15/2025 |
| Vesting schedules bypass validation when end_point is missing | Informational | Solved - 08/15/2025 |
| Asset info deduplication ignores the font case | Informational | Solved - 08/11/2025 |
| Formula deviation with reference contracts | Informational | Acknowledged - 08/17/2025 |
| Missing or incomplete instantiate attributes | Informational | Solved - 08/12/2025 |
| Unbounded pagination in query endpoints | Informational | Solved - 08/12/2025 |
| Malicious admin can seize all fees | Informational | Solved - 08/12/2025 |
| Vesting withdraw from active schedule leaves a single token unit in the schedule | Informational | Solved - 08/15/2025 |
| Redundant branch after minimum fee enforcement in funds splitting | Informational | Solved - 08/25/2025 |
//Medium
//Low
//Low
//Low
//Low
//Low
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
CosmWasm Contracts
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
