Omniscia Evergon Labs Audit
Core Tokenization System Update Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 2695e5b65e | April 30th 2025 | 23320f4475 |
| d682057ecb | May 13th 2025 | 7a9a1086e5 |
| 1de30b88ac | May 13th 2025 | 2e0b6b2bb0 |
| 2f8cdfcd1c | May 13th 2025 | ad4d42b2fd |
| 8c939bab80 | May 15th 2025 | 18483e054f |
Audit Overview
We were tasked with performing an audit of the Evergon Labs codebase and in particular their Core Tokenization System update.
The update involved several changes across many contracts in the codebase, with the vast majority of changes relating to linting, documentation, and optimizations of the codebase.
The system transitioned from a fund-based system to a packet-based system with each packet being attached to one or several EIP-20 funding currencies simplifying certain campaign flows.
A standardized initialization and configuration approach has been applied throughout the facets of the system by adhering to the initX or setAndCheckX conventions.
There are several features that have also been introduced to the system apart from the above changes:
- Vesting configurations can now have their cliff extended and support TGEs
- Recovery mechanisms have been set in place to permit recovery of fractions from lost accounts
- Price evaluations support dynamicity instead of fixed prices (audit scope encompassed a fixed price implementation)
- Fees are now supported for any packets that have been gathered for a campaign
- Compilot's gating mechanism is now supported throughout more system features, such as
PurchaseToReceiveRoleApprovalFacet
Over the course of the audit, we identified a critical initialization vulnerability for the recovery mechanism subskeleton as well as potential issues around the revised discount facet structure that would permit arbitrary call execution restricted for a particular campaign ID.
To note, we have observed certain structures being reordered which would render the current implementation incompatible with contracts that have already been deployed as it would require a fresh deployment to ensure consistency in storage.
We advise the Evergon Labs team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Evergon Labs team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Evergon Labs and have identified that a particular exhibit has not been adequately dealt with. We advise the Evergon Labs team to revisit the following exhibit: UPF-01M
Post-Audit Conclusion (1de30b88ac)
The Evergon Labs team evaluated our follow-up recommendation on UPF-01M and opted to apply it as advised.
We evaluated the remediation of UPF-01M and confirmed that it has been fully alleviated.
We consider all outputs of the audit report properly consumed by the Evergon Labs team with no outstanding remediative actions remaining.
Post-Audit Conclusion (8c939bab80)
The Evergon Labs team identified a potential edge case in the codebase that would result in a gas-intensive successful transaction with no meaningful state changes being applied to the system.
Specifically, the uniform vesting implementation was permitting a "claim" to occur when 0 portions are expected to be released due to the calculation logic of the next NFT ID generating a new one even if no rewards are claimed.
We evaluated the code changes introduced to slightly refactor this calculation, ensure that 0 value claims are prohibited, and guarantee that a successful transaction will consistently result in non-zero rewards being yielded.
During our evaluation, we pointed out two additional edge cases that could have resulted in the issue manifesting as well as certain documentation errors that were promptly remediated by the Evergon Labs team.
We continue to consider all original security guarantees of the audit upheld and that no outstanding remediative actions remain.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 32 | 32 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
During the audit, we filtered and validated a total of 0 findings utilizing static analysis tools as well as identified a total of 37 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: