Paymaster Contracts - Tea-Fi

1. Summary

Tea-Fi engaged Halborn to conduct a security assessment on their smart contracts beginning on October 27, 2025 and ending on October 30, 2025. The scope of this assessment was limited to the smart contracts provided to the Halborn team. Commit hashes and additional details are documented in the Scope section of this report.

TeaFi's NogaPaymaster is an ERC-4337 compatible smart contract that enables users to pay gas fees with ERC-20 tokens instead of native assets like ETH or MATIC. As part of NOGA’s EasyGas SaaS, it delivers secure, gasless transactions through EIP-712 signature validation, operator nonce protection, and precise post-operation token charging. With role-based access, pausability, and batch withdrawals, it ensures safety and flexibility. Its companion, CollectorSwapper, optionally converts collected tokens into a canonical token like USDC via Uniswap V3 without risking reverts, creating a seamless token-based gas abstraction system for Web3.

2. Assessment Summary

Halborn was provided 4 days for the engagement and assigned 1 full-time security engineer to review the security of the smart contracts in scope. The engineer is a blockchain and smart contract security expert with advanced penetration testing and smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the smart contracts.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified several areas for improvement to reduce both the likelihood and impact of potential risks, which were mostly addressed by the Tea-Fi team. The primary suggestions included:

• Modify the calculation to round up the division result to ensure fair payment.

• Instead of passing amountOutMin in the opaque data, the contract should use Uniswap V3's Quoter contract within postOpHandle().

• Integrate On-Chain Price Oracles which fetches the current exchange rate at the moment of execution.

• Wrap all external calls in try-catch and emit events on failure.

• FOT tokens should be explicitly prevented.

• Enforce a maximum allowed length for the tokens and amounts arrays in _withdrawTokensBatch().

  
  

3. Test Approach and Methodology

Halborn performed a combination of manual code review and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this assessment. While manual testing is essential to uncover flaws in logic, process, and implementation, automated testing techniques enhance coverage of smart contracts and can quickly identify issues that do not follow security best practices.

The following phases and associated tools were used throughout the assessment:

• Research into the architecture, purpose, and use of the platform.

• Manual code review and walkthrough of the smart contracts to identify potential logic issues.

• Manual testing of all core functions, including createCampaign, claim to validate expected behavior and identify edge-case vulnerabilities.

• Local testing to simulate contract interactions and validate functional and security assumptions.

• Local deployment and testing with Foundry.