Quex V1 - Quex

1. Summary

Quex engaged Halborn to perform a security assessment of their smart contracts from June 24th to June 25th, 2025. The assessment scope was limited to the smart contracts provided to the Halborn team. Commit hashes and additional details are available in the Scope section of this report.

2. Assessment Summary

The Halborn team dedicated two days to this engagement, with one full-time security engineer assigned to evaluate the security of the smart contracts.

The assigned security engineer is an expert in blockchain and smart contract security, possessing advanced skills in penetration testing, smart contract exploitation, and extensive knowledge of multiple blockchain protocols.

The objectives of this assessment were to:

• Verify that the smart contract functions operate as intended.

• Identify potential security vulnerabilities within the smart contracts.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of potential risks, which were mostly addressed by the Quex team. The primary recommendations were as follows:

• Restrict internal flow logic to prohibit flow.consumer == address(this) to prevent unauthorized self-calls and manipulation of subscription funds.

• Implement zero-address checks in the setOwner function to prevent permanent denial-of-service conditions through invalid ownership assignments.

• Introduce per-consumer spending limits within the subscription model to mitigate griefing attacks via request spamming and prevent excessive balance reservation.

• Ensure that ETH transfers to relayers in fulfillRequest and pushData are followed by proper return value checks to prevent silent failures and potential fund loss.