RECC - Smithii

1. Introduction

Smithii engaged Halborn to conduct a security assessment of the RECC programs from 29th July to 4th August, 2025. The security assessment was scoped to the smart contracts provided in the GitHub repository recc-program, commit hashes and further details can be found in the Scope section of this report.

The RECC Program is a Real World Asset (RWA) investment platform that enables investors to participate in real estate opportunities. Anyone can list projects on the platform, and investors can contribute funds to these projects in exchange for earnings once the business is completed in the real world. The platform also supports the creation of external markets, allowing investors to exit their positions early.

2. Assessment Summary

Halborn was provided 5 days for the engagement and assigned 1 full-time security engineers to review the security of the Solana Programs in scope. The engineers are blockchain and smart contract security experts with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the Solana Program.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were mostly addressed by the Smithii team. The main ones were the following:

• Store the contribution token mint in the 'fundraise' PDA during 'create_fundraise', and add a check in 'contribute' to ensure the supplied 'contribution_mint' matches the one stored in the fundraise account.

• Validate that 'clmm_program' passed in 'migrate' instruction matches raydium CLMM Program ID.

• Move the initial Raydium CLMM pool creation and initialization logic to the 'create_fundraise' instruction.

• Remove the current balance check 'is_vault_ata_credited' in claim instruction.

• Ensure that the 'project' account provided in the 'claim' instruction matches the 'project' key stored in the 'fundraise' PDA.

• Utilize CreateV1CpiBuilder from the 'mpl-token-metadata' provided by the Metaplex Token Metadata program. Additionally, the program should validate that the 'contribution_mint' does not have the TransferFee extension enabled.

3. Test Approach and Methodology

Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

• Research into the architecture, purpose, and use of the platform.

• Manual program source code review to identify business logic issues.

• Mapping out possible attack vectors.

• Thorough assessment of safety and usage of critical Rust variables and functions in scope that could lead to arithmetic vulnerabilities.

• Scanning dependencies for known vulnerabilities (cargo audit).

• Local runtime testing (anchor test).