Prepared by:
HALBORN
Last Updated 02/05/2026
Date of Engagement: January 21st, 2026 - January 27th, 2026
100% of all REPORTED Findings have been addressed
All findings
7
Critical
0
High
0
Medium
1
Low
5
Informational
1
AI Verse engaged Halborn to perform a security assessment of their smart contracts from January 21th, 2026 to January 27th, 2026. The assessment scope was limited to the smart contracts provided to Halborn. Commit hashes and additional details are available in the Scope section of this report.
The 0G Agent NFT protocol is a marketplace system for trading intelligent NFTs that combine token ownership with encrypted data payloads. The platform enables minting NFTs with embedded data hashes, facilitates peer-to-peer trading through signature-based orders, and distributes transaction fees between platform operators and content creators.
Halborn was allocated 5 days for this engagement and assigned 1 full-time security engineer to conduct a comprehensive review of the smart contracts within scope. The engineer is an expert in blockchain and smart contract security, with advanced skills in penetration testing and smart contract exploitation, as well as extensive knowledge of multiple blockchain protocols.
The objectives of this assessment are to:
Identify potential security vulnerabilities within the smart contracts.
Verify that the smart contract functionality operates as intended.
In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of security risks, which were mostly addressed by the AI Verse team. The main recommendations were:
Handle excess ETH sent during minting by calculating overpayment and refunding the surplus.
Emit events for all critical state-changing functions.
Remove the payable modifier from function that do not contain logic to handle native tokens to prevent accidental loss.
Add pause controls to mint and fee withdrawal operations to ensure consistent behavior during paused states.
Implement two-step contract ownership transfer to prevent accidental loss of administrative privileges.
| Security analysis | Risk level | Remediation |
|---|---|---|
| Overpayment not refunded in mint functions | Medium | Solved - 01/29/2026 |
| ETH sent to fulfillOrder() is permanently stuck in contract | Low | Solved - 02/01/2026 |
| Missing events for critical state changes | Low | Solved - 01/29/2026 |
| Mint and fee withdrawal functions remain operational when contract is paused | Low | Solved - 01/29/2026 |
| Use of transferFrom instead of safeTransferFrom may result in NFTs locked in contracts | Low | Solved - 01/29/2026 |
| maxProofAge configuration has no effect on proof expiration logic | Low | Solved - 01/29/2026 |
| Single-step admin transfer may result in permanent loss of administrative access | Informational | Acknowledged - 01/30/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
DollyLocker & Agent NFT
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
