Prepared by:
HALBORN
Last Updated 07/02/2025
Date of Engagement: June 24th, 2025 - June 25th, 2025
100% of all REPORTED Findings have been addressed
All findings
4
Critical
0
High
1
Medium
1
Low
2
Informational
0
Quex engaged Halborn to perform a security assessment of their smart contracts from June 24th to June 25th, 2025. The assessment scope was limited to the smart contracts provided to the Halborn team. Commit hashes and additional details are available in the Scope section of this report.
The Halborn team dedicated two days to this engagement, with one full-time security engineer assigned to evaluate the security of the smart contracts.
The assigned security engineer is an expert in blockchain and smart contract security, possessing advanced skills in penetration testing, smart contract exploitation, and extensive knowledge of multiple blockchain protocols.
The objectives of this assessment were to:
Verify that the smart contract functions operate as intended.
Identify potential security vulnerabilities within the smart contracts.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of potential risks, which were mostly addressed by the Quex team. The primary recommendations were as follows:
Restrict internal flow logic to prohibit flow.consumer == address(this) to prevent unauthorized self-calls and manipulation of subscription funds.
Implement zero-address checks in the setOwner function to prevent permanent denial-of-service conditions through invalid ownership assignments.
Introduce per-consumer spending limits within the subscription model to mitigate griefing attacks via request spamming and prevent excessive balance reservation.
Ensure that ETH transfers to relayers in fulfillRequest and pushData are followed by proper return value checks to prevent silent failures and potential fund loss.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Any External Account Can Manipulate Subscription Funds | High | Solved |
| Unchecked Return Values in Relayer ETH Transfers | Medium | Solved |
| Potential Subscription Ownership DoS | Low | Solved |
| Subscription Balance Griefing via Request Spamming | Low | Risk Accepted - 06/25/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Quex V1
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
