Vesting - Smithii

1. Introduction

Smitthi engaged Halborn to conduct a security assessment on their Vesting program beginning on April 2nd, 2025 and ending on April 7th, 2024. The security assessment was scoped to the smart contracts provided in the GitHub repository smitthi_vesting_contract, commit hashes, and further details can be found in the Scope section of this report.

The Smithii team is releasing their smithii_vesting_contract Solana program. This program allows for the creation of vesting/locking schedules and claiming of SPL tokens based on time or Merkle proofs.

2. Assessment Summary

Halborn was provided 4 days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security vulnerabilities within the codebase.  

• Verify the correctness of the core token locking, vesting schedule calculations, and claiming logic.

• Assess access control mechanisms ensuring only authorized parties can perform sensitive actions.

• Evaluate the security of state management, including initialization, updates, and potential data inconsistencies.

• Analyze the implementation and usage of Merkle proofs for claim verification.

• Identify potential edge cases or logical flaws that could lead to unexpected behavior, denial of service, or irrecoverable fund lockups.

• Assess adherence to Solana development best practices regarding security, resource management (rent and compute), and CPI handling.

In summary, Halborn identified some improvements to reduce the likelihood and impact of multiple risks, which were mostly addressed by the Smithii team. The main ones were the following:

• When setting up a vesting schedule for multiple recipients using the advanced verification feature, require the creator to choose how the tokens will be split.

• Do not allow setting up a new vesting schedule if the amount of tokens to be locked is zero, as this wastes fees.

3. Test Approach and Methodology

Halborn performed a combination of manual review and security testing based on scripts to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow the security best practices. The following phases and associated tools were used during the assessment:

• Research into architecture and purpose.

• Differences analysis using GitLens to have a proper view of the differences between the mentioned commits

• Graphing out functionality and programs logic/connectivity/functions along with state changes