POSY Contract & Sealcoin OFT - SEALCOIN

1. INTRODUCTION

SEALCOIN engaged Halborn to conduct a security assessment on their smart contracts beginning on December 22nd 2025 and ending on December 24th, 2025. The security assessment was scoped to the smart contracts provided in the sealcoin/posy-contract and sealcoin/oft Github repositories, provided to the Halborn team. Commit hash and further details can be found in the Scope section of this report.

The reviewed contracts consist of a staking and reward distribution system (Sealcoin PoSy) deployed on Hedera that manages time-locked staking, reward accounting, and role-based administration for the QAIT token. In parallel, they include an omnichain fungible token (OFT) bridging system that locks the canonical QAIT HTS supply on Hedera and mints or burns fully backed OFT representations on EVM chains via LayerZero.

2. ASSESSMENT SUMMARY

Halborn was provided with 3 days for this engagement and assigned a full-time security engineer to assess the security of the smart contracts in scope. The assigned engineer possess deep expertise in blockchain and smart contract security, including hands-on experience with multiple blockchain protocols.

The objective of this assessment is to:

• Identify potential security issues within the SEALCOIN protocol smart contracts.

• Ensure that smart contract of ````SEALCOIN protocol functions operate as intended.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were mostly addressed by the SEALCOIN team. The main recommendations were:

• Implement a two-step ownership transfer mechanism.

• Pause rewards setting functionality when the staking contract is paused.

• Reset the position states when the position is withdrawn.

• Prevent bridging to the zero address.

• Use the correct parameters types when encoding the transfer call.