Prepared by:
HALBORN
Last Updated 12/15/2025
Date of Engagement: November 17th, 2025 - November 25th, 2025
Summary
100% of all REPORTED Findings have been addressed
All findings
8
Critical
0
High
1
Medium
2
Low
2
Informational
3
Table of Contents
1. Introduction
Temple engaged our security engineering team to conduct a comprehensive review of their DAML-based order-matching and asset-management system. The objective of this engagement was to evaluate correctness, consistency, and robustness across the codebase, with particular emphasis on the logic that governs order lifecycle, matching, token allocation, and multi-step orchestration workflows. The assessment focused exclusively on the DAML modules and templates provided by Temple and closely examined the architectural assumptions, execution paths, and state transitions that underpin the system.
2. Engagement Overview
The audit was performed over a 7-day period by a senior engineer with deep experience in DAML/Canton, smart contract architecture, and adversarial testing of logic-heavy state machines. The review targeted the modules most central to execution reliability:
Order.daml
Orchestrator.daml
Workflow.daml
Supporting modules: Split, Merge, Allocations, Transfer, Context, Common, and Utils
The goal was to identify deviations between intended behavior and actual enforcement, uncover nondeterministic behaviors, ensure consistency across multi-step flows, and assess resilience against malformed inputs or state inconsistencies.
3. Assessment Summary
The review focused on validating:
Execution correctness and predictable lifecycle management
Enforcement of constraints around deadlines, ordering, and expiration
Determinism in maker/taker role assignment
Safety of deep call stacks within allocation, transfer, and split/merge logic
Soundness of context propagation and validation
Reliability of list-based and factory-dependent operations
Consistency of state representation in workflows involving remainder management
This included evaluating how the system handles re-locking of holdings, expiration logic, multi-order matching, order prioritization, and the complex interplay between factories and allocations that drive the orchestration layer.
4. SCOPE
- temple-order-impl/daml/Temple/Order/Order.daml
- temple-order-impl/daml/Temple/Order/Orchestrator.daml
- temple-order-impl/daml/Temple/Order/Process/Workflow.daml
- bdc97a4
5. Findings Overview
| Security analysis | Risk level | Remediation |
|---|---|---|
| Inconsistent state management when locking all holdings including remainder | High | Solved - 12/11/2025 |
| Missing expiration validation during order matching | Medium | Solved - 12/11/2025 |
| Insufficient validation of context data enabling potential denial of service | Medium | Risk Accepted - 12/12/2025 |
| Unsafe list access assumptions on transfer operation results | Low | Solved - 12/11/2025 |
| Order matching does not enforce FIFO ordering | Low | Risk Accepted - 12/11/2025 |
| Inconsistent deadline handling for re-locked order allocations | Informational | Solved |
| Non-deterministic maker-taker assignment for concurrent orders | Informational | Solved - 12/12/2025 |
| Misleading choice name suggesting validation-only operation | Informational | Solved - 12/11/2025 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
Table of Contents
// Download the full report
DAML Contracts
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed