← Back to Audits

Stellar Contracts - Spiko

Prepared by:

Halborn Logo

HALBORN

Last Updated 10/03/2025

Date of Engagement: September 16th, 2025 - September 17th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

5

Critical

1

High

0

Medium

0

Low

1

Informational

3

Table of Contents

1. Introduction

Spiko engaged Halborn to conduct a security assessment of the Stellar Smart Account contracts, beginning on September 16th, 2025, and ending on September 18th, 2025. This security assessment was scoped to the smart contracts located in the Spiko-Tech Stellar Contracts GitHub repository. Commit hashes and further details can be found in the Scope section of this report.

 

Spiko provides the on-chain backbone for tokenising real-world fund shares on Stellar. It couples a permissioned fungible-token contract (representing each share) with a central access-control registry and a redemption module that burns tokens when investors cash out in the off-chain fund. By enforcing roles, whitelisting and escrowed redemptions, the suite bridges traditional assets and blockchain while preserving regulatory and operational safeguards.

2. Assessment Summary

The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

    • Ensure that smart contract functions operate as intended

    • Identify potential security issues with the smart contracts


In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which have been completely addressed by the Spiko team. The main ones were the following:

    • Correct the redemption execution logic so that token burns are performed from the Redemption contract balance rather than from the user account to prevent pending redemptions and locked escrowed funds.

    • Prevent the admin role from being renounced without an alternative recovery mechanism by overriding or replacing the default renounce_admin flow with an explicit rotation/proposal-accept process.

    • Ensure idempotency keys and events are only consumed/emitted when an operation produces a real state change (reject empty-batch and zero-amount operations).

    • Move fixed, non-parameterized initialization logic into the constructor to eliminate unnecessary public initialization entrypoints and reduce deployment sequencing risk.

    • Improve in-code documentation to reduce misconfiguration and improve auditability.


3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. Manual testing was emphasized to uncover flaws in logic, process, and contract interaction, while automated tools supported the detection of dependency vulnerabilities and unsafe coding patterns.

The following phases and associated tools were used during the assessment:

    • Research into the architecture, purpose, and operational model of the Stellar Smart Account system.

    • Manual code review and walk-through of all contracts.

    • Verification of initialization flows and prevention of double-init or bypass conditions.

    • Analysis of upgrade and migration flows.

    • Review of cross-contract interactions and fail-closed behavior on errors.

    • Scanning of Rust code for vulnerabilities and unsafe usage.

    • Review and improvement of integration tests.

    • Verification of integration test execution and addition of new ones where required.


4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.
The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.
The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.
The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.
The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):
Captures whether the attack requires compromising a specific account.
Attack Cost (AC):
Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.
Attack Complexity (AX):
Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.
Metrics:
EXPLOITABILITY METRIC (mem_e)METRIC VALUENUMERICAL VALUE
Attack Origin (AO)Arbitrary (AO:A)
Specific (AO:S)		1
0.2
Attack Cost (AC)Low (AC:L)
Medium (AC:M)
High (AC:H)		1
0.67
0.33
Attack Complexity (AX)Low (AX:L)
Medium (AX:M)
High (AX:H)		1
0.67
0.33
Exploitability EE is calculated using the following formula:

E=meE = \prod m_e

4.2 IMPACT

Confidentiality (C):
Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.
Integrity (I):
Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.
Availability (A):
Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.
Deposit (D):
Measures the impact to the deposits made to the contract by either users or owners.
Yield (Y):
Measures the impact to the yield generated by the contract for either users or owners.
Metrics:
IMPACT METRIC (mIm_I)METRIC VALUENUMERICAL VALUE
Confidentiality (C)None (C:N)
Low (C:L)
Medium (C:M)
High (C:H)
Critical (C:C)		0
0.25
0.5
0.75
1
Integrity (I)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)		0
0.25
0.5
0.75
1
Availability (A)None (A:N)
Low (A:L)
Medium (A:M)
High (A:H)
Critical (A:C)		0
0.25
0.5
0.75
1
Deposit (D)None (D:N)
Low (D:L)
Medium (D:M)
High (D:H)
Critical (D:C)		0
0.25
0.5
0.75
1
Yield (Y)None (Y:N)
Low (Y:L)
Medium (Y:M)
High (Y:H)
Critical (Y:C)		0
0.25
0.5
0.75
1
Impact II is calculated using the following formula:

I=max(mI)+mImax(mI)4I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}

4.3 SEVERITY COEFFICIENT

Reversibility (R):
Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.
Scope (S):
Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.
Metrics:
SEVERITY COEFFICIENT (CC)COEFFICIENT VALUENUMERICAL VALUE
Reversibility (rr)None (R:N)
Partial (R:P)
Full (R:F)		1
0.5
0.25
Scope (ss)Changed (S:C)
Unchanged (S:U)		1.25
1
Severity Coefficient CC is obtained by the following product:

C=rsC = rs

The Vulnerability Severity Score SS is obtained by:

S=min(10,EIC10)S = min(10, EIC * 10)

The score is rounded up to 1 decimal places.
SeverityScore Value Range
Critical9 - 10
High7 - 8.9
Medium4.5 - 6.9
Low2 - 4.4
Informational0 - 1.9

5. SCOPE

REPOSITORY
(a) Repository: stellar-contracts
(b) Assessed Commit ID: b66c29e
(c) Items in scope:
  • contracts/token/src/lib.rs
  • contracts/token/src/contract.rs
  • contracts/permission-manager/src/lib.rs
↓ Expand ↓
Remediation Commit ID:
Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

1

High

0

Medium

0

Low

1

Informational

3

Security analysisRisk levelRemediation Date
Redemption execution burns from user account instead of redemption contractCriticalSolved - 09/21/2025
Admin can renounce and leave contract without adminLowSolved - 09/21/2025
Idempotency keys and zero-amount / empty-batch operations can be consumed without effective workInformationalSolved - 09/21/2025
Initialize placed outside constructor without variable inputsInformationalSolved - 09/21/2025
Insufficient in-code documentationInformationalSolved - 09/21/2025

7. Findings & Tech Details

7.1 Redemption execution burns from user account instead of redemption contract

//

Critical

Description

During redemption execution, the contract attempts to burn the redeemed tokens from the user’s account (from) even though those tokens were already transferred into the Redemption contract during the initial redeem call.


As a result, execution reverts due to insufficient user balance, leaving the redemption stuck in Pending while tokens remain locked in the Redemption contract. If the user later holds funds, this could double-charge the user while keeping escrowed funds locked, causing supply/accounting inconsistencies.


Code Location

Code of execute_redemptions function from contracts/redemption/src/contract.rs file:

pub fn execute_redemptions(
    e: &Env,
    caller: Address,
    operations: Vec<ExecuteRedemptionOperation>,
) {
    caller.require_auth();
    Self::assert_has_role(e, &caller, &REDEMPTION_EXECUTOR_ROLE);
    let redemption_contract_address = e.current_contract_address();

    for operation in &operations {
        let token = operation.0;
        let from = operation.1;
        let amount = operation.2;
        let salt = operation.3;

        Self::assert_token_registered(e, &token);

        let redemption_hash = Self::compute_redemption_hash(e, &token, &from, amount, &salt);
        Self::assert_redemption_status(e, &redemption_hash, RedemptionStatus::Pending);

        let client: TokenClient<'_> = TokenClient::new(e, &token);

        client.burn(&from, &amount, &redemption_contract_address);

        Self::set_redemption_status(e, &redemption_hash, RedemptionStatus::Executed);
        e.events().publish(
            (REDEMPTION_EVENT, REDEMPTION_EXECUTED_EVENT),
            RedemptionEntry(token, from, amount, salt),
        );
    }
}

Proof of Concept

Scenario

  • A whitelisted user redeems a positive token amount. The Token contract transfers that amount from the user to the Redemption contract (escrow) and records the entry as Pending via Redemption.on_redeem.

  • An authorized executor later calls Redemption.execute_redemptions for that same entry.

  • The Redemption contract attempts to burn the redeemed amount from the user’s address instead of from the Redemption contract (where the tokens actually reside after redeem).


Test Code

use token::contract::{Token, TokenClient};

fn deploy_real_token(e: &Env) -> (Address, Address, TokenClient<'_>) {
    let owner: Address = Address::generate(e);
    let name: String = String::from_str(e, "Token");
    let symbol: String = String::from_str(e, "EUTBL");
    let decimals: u32 = 6;
    let token_address = e.register(Token, (owner.clone(), name, symbol, decimals));
    let client = TokenClient::new(e, &token_address);
    (owner, token_address, client)
}

#[test]
fn poc_execute_redemptions_fails_with_real_token() {
    let e = setup_env();

    // Deploy Redemption and PermissionManager
    let (_owner_r, redemption_address, redemption_client) = deploy_redemption(&e);
    let (admin, permission_manager_address, permission_manager_client) =
        deploy_permission_manager(&e);
    redemption_client.set_permission_manager(&permission_manager_address);

    // Deploy real token
    let (_owner_t, token_address, token_client) = deploy_real_token(&e);
    token_client.set_permission_manager(&permission_manager_address);
    token_client.set_redemption(&redemption_address);

    // Roles
    let user: Address = Address::generate(&e);
    let executor: Address = Address::generate(&e);

    // Whitelist user and Redemption (current design requires it)
    permission_manager_client.grant_role(&admin, &user, &WHITELISTED_ROLE);
    permission_manager_client.grant_role(&admin, &redemption_address, &WHITELISTED_ROLE);

    // Allow minting and burning
    let minter: Address = Address::generate(&e);
    permission_manager_client.grant_role(&admin, &minter, &MINTER_ROLE);
    permission_manager_client.grant_role(&admin, &redemption_address, &BURNER_ROLE);

    // Register token on Redemption
    redemption_client.add_token(&token_address);

    // Mint to user and redeem (moves funds into Redemption)
    let amount: i128 = 1000;
    let salt: String = String::from_str(&e, "SALT");
    token_client.mint(&user, &amount, &minter);
    token_client.redeem(&amount, &user, &salt);

    // Sanity check
    assert_eq!(token_client.balance(&user), 0);
    assert_eq!(token_client.balance(&redemption_address), amount);

    // Execute redemptions → should revert due to burning from user instead of Redemption
    let mut ops = Vec::new(&e);
    ops.push_front(ExecuteRedemptionOperation(
        token_address.clone(),
        user.clone(),
        amount,
        salt.clone(),
    ));

    permission_manager_client.grant_role(&admin, &executor, &REDEMPTION_EXECUTOR_ROLE);
    let res = redemption_client.try_execute_redemptions(&executor, &ops);
    assert!(res.is_err());

    // Funds remain locked in Redemption
    assert_eq!(token_client.balance(&redemption_address), amount);
}

Result

  • Mint succeeded; redeem moved the funds to the Redemption contract (user balance = 0, Redemption balance = amount).

  • Calling execute_redemptions returned an error (revert) because the burn targeted the user (insufficient balance).

  • Funds remained locked in the Redemption contract (Redemption balance unchanged), and the redemption status did not progress, demonstrating a DoS/lock on the redemption flow.


BVSS
Recommendation

Burning of tokens should be performed from the Redemption contract's own balance (burn(account = Redemption, caller = Redemption)) rather than from the user's account.

Remediation Comment

SOLVED: The Spiko team has solved this issue by replacing the user's address with the contract address.

Remediation Hash
https://github.com/spiko-tech/stellar-contracts/commit/c84bf5d45ecfd093fdb68d199f878ba2ad38e3a1

7.2 Admin can renounce and leave contract without admin

//

Low

Description

The contract exports AccessControl’s default renounce_admin entrypoint. An authenticated admin can invoke it to remove the Admin key from storage, leaving the contract without an admin.


This does not directly compromise funds but creates operational risk: future role administration (set_role_admin, grant / revoke) becomes impossible without a separate recovery path.


Code Location

Code of renounce_admin function from AccessControl crate:

/// Allows the current admin to renounce their role, making the contract
/// permanently admin-less. This is useful for decentralization purposes or when
/// the admin role is no longer needed. Once the admin is renounced, it cannot
/// be reinstated.
///
/// # Arguments
///
/// * `e` - Access to Soroban environment.
///
/// # Errors
///
/// * [`AccessControlError::AdminNotSet`] - If no admin account is set.
///
/// # Events
///
/// * topics - `["admin_renounced", admin: Address]`
/// * data - `[]`
///
/// # Notes
///
/// * Authorization for the current admin is required.
pub fn renounce_admin(e: &Env) {
    let admin = enforce_admin_auth(e);

    e.storage().instance().remove(&AccessControlStorageKey::Admin);

    emit_admin_renounced(e, &admin);
}

BVSS
Recommendation

It is recommended to override renounce_admin to revert (disallow), or replace it with an explicit admin rotation flow (propose/accept) ensuring the contract cannot be left without an admin.

Remediation Comment

SOLVED: The Spiko team has solved this issue by overwriting the renounce admin function.


Remediation Hash
https://github.com/spiko-tech/stellar-contracts/commit/0b0a20bbbd1f400b48f1cb087b864e0c62dd5b89

7.3 Idempotency keys and zero-amount / empty-batch operations can be consumed without effective work

//

Informational

Description

The Token contract spends idempotency keys and emits events even when the call produces no meaningful state change:

  • Empty batch: mint_batch and burn_batch consume the provided idempotency key when operations.len() == 0, leaving no balances modified but preventing re-use of that key for a genuine retry.

  • Zero amount: safe_transfer, transfer, mint, burn, and per-item loops in their batch variants allow amount == 0.

    • In safe_transfer the key is burned, a transfer event is raised, yet no assets move.

    • In the other paths the call is simply a no-op, producing confusing audit logs.


While the issue is non-exploitable, it degrades UX for legitimate operators, wastes storage slots for idempotency tracking, and may break client-side retry logic that assumes keys are consumed only when the underlying effect succeeds.


BVSS
Recommendation

It is recommended to skip idempotency-key consumption and event emission when the assertion would fail, thereby ensuring keys are burned only after real token state changes. To implement this, explicit guards should be added:

  • assert!(operations.len() > 0, "Empty batch") at the start of mint_batch and burn_batch.

  • assert!(amount > 0, "Zero-amount transfer") in safe_transfer, transfer, mint, burn, and within each batch loop.



Remediation Comment

SOLVED: The Spiko team has solved this issue by implementing the recommended fixes.


Remediation Hash
https://github.com/spiko-tech/stellar-contracts/commit/0df70f854207f4650cb2bf0ea22673dea1e4cc14

7.4 Initialize placed outside constructor without variable inputs

//

Informational

Description

The initialize function, from PermissionManager contract, only sets a fixed role relationship (WHITELISTER_ROLE as admin of WHITELISTED_ROLE) and does not depend on dynamic inputs.


Keeping it as a separate public entry point adds operational risk (missed initialization, sequencing mistakes) without functional benefits. Although it is admin-gated via set_role_admin (admin.require_auth), its separation is unnecessary and can lead to avoidable deployment complexity.


Code Location

Code of initialize function from contracts/permission-manager/src/contracts.rs file:

pub fn initialize(e: &Env) {
    access_control::set_role_admin(e, &WHITELISTED_ROLE, &WHITELISTER_ROLE);
}

BVSS
Recommendation

It is recommended to move the role-admin setup into the constructor immediately after setting the admin.

Remediation Comment

SOLVED: The Spiko team has solved this issue by relocating the set_role_admin call into the contract constructor.


Remediation Hash
https://github.com/spiko-tech/stellar-contracts/commit/e1745b7f9b165fbcd06d4c2d34637fd973ed4862

7.5 Insufficient in-code documentation

//

Informational

Description

Multiple high-impact entrypoints lack doc comments that clearly explain each function's purpose along with required auth, invariants, storage/TTL effects, events, and idempotency semantics.


This is not an immediate exploit, but it increases misconfiguration risk and hurts auditability. Auditors depend on clear, consistent docs to verify boundaries and state changes.

BVSS
Recommendation

It is recommended to add concise doc comments to each function covering: purpose and inputs, required authorization/roles, preconditions and invariants (e.g., amount > 0, registered token), storage writes and TTL behavior, emitted events, expected error messages, etc.

Remediation Comment

SOLVED: The Spiko team has solved this issue by adding documentation to all critical function.


Remediation Hash
https://github.com/spiko-tech/stellar-contracts/commit/5a7fd0b53b2119dc938f33c600524087c416b2b4

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

Stellar Contracts

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed

© Halborn 2025. All rights reserved.