Security & Audit
Static analysis results, test coverage, reentrancy protections, access control matrix, trust model, and known limitations.
1. Slither Security Audit
All Inferno contracts were analyzed with Slither v0.11.5, the leading static analysis framework for Solidity. The audit completed with zero high or critical findings.
Result: 0 High / Critical findings — 51 initial detections, 15 fixed, 36 accepted (informational or false positives).
- Tool: Slither v0.11.5
- Initial findings: 51
- Fixed: 15
- Accepted (informational / false positives): 36
Fixes Applied
| Detector | Count | Fix Applied |
|---|---|---|
missing-zero-check |
4 | Added require != address(0) in BuybackVault constructor + setParams |
reentrancy-benign |
2 | Applied CEI (Checks-Effects-Interactions) pattern in BurnReserve |
immutable-states |
5 | Made owner, burnReserve, guardian immutable in BurnReserve, BuybackVault, LiquidityReserve |
unindexed-event |
4 | Added indexed to Pause/Unpause events in BuybackVault, LiquidityReserve |
2. Claude Security Audit (Internal)
All 9 contracts (1727 SLOC) were reviewed line-by-line by Claude Opus 4.6 across 10 check categories: reentrancy, access control, integer overflow, front-running, DoS, centralization, fee edge cases, timelock bypass, feeExempt manipulation, and owner privileges.
Result: 0 FAIL — 12 WARN — 78 PASS — Full Report
Top Findings (Medium)
| # | Contract | Finding | Status |
|---|---|---|---|
| W1 | Governance | setOwner() bypasses timelock — immediate ownership transfer |
Multisig planned |
| W2 | Governance | Single owner key = single point of failure | Multisig planned |
| W3 | BuybackVault | setParams has no bounds on burnShareBps, slippageBps, cooldown |
Fix in v3 |
| W4 | BuybackVault | Uniswap swap MEV-vulnerable (sandwich within slippage tolerance) | Flashbots on mainnet |
Community Audit Open
All contracts are open source. Security findings welcome via GitHub Issues.
3. Test Coverage
The project maintains 361 tests across 10 test suites, all passing. Tests cover deployment, core logic, edge cases, access control, pause mechanisms, and cross-contract integration.
361 / 361 tests passing — 10 test suites, 0 failures.
| Test Suite | Tests | Coverage Areas |
|---|---|---|
| InfernoToken | 22 | Deployment, fee math, exemptions, owner functions, edge cases |
| LiquidityReserve | 42 | Lock period, staged withdrawal, pause, period limits, transferOwnership, edge cases |
| Vesting | 21 | Cliff, linear release, access control, pause, constructor, edge cases |
| BuybackVault | 26 | Deposit, buyback split, cooldown, slippage, activation delay, transferOwnership, edge cases |
| BurnReserve | 27 | Deposit, burn, burnAll, tracking, guardian auth, transferOwnership |
| Governance | 36 | Propose, execute, cancel, self-governance, integration |
| IFRLock | 37 | Lock, unlock, re-lock, isLocked, lockType, fee-exempt, pause, multi-user |
| PartnerVault | 95 | Partners, milestones, rewards, vesting, claims, authorizedCaller, anti-double-count, algo throttle, annual cap, bounds |
| FeeRouterV1 | 33 | Deployment, fee charging, voucher discount, voucher validation (isVoucherValid), replay protection, signer rotation, fee collector, access control, pause, receive ETH |
Run the full test suite:
npx hardhat testSolidity Coverage (solidity-coverage)
Code coverage measured with solidity-coverage. Overall: 99% statements, 91% branches, 98% functions, 99% lines.
| Contract | Stmts | Branch | Funcs | Lines |
|---|---|---|---|---|
| InfernoToken | 100% | 92.86% | 100% | 100% |
| LiquidityReserve | 100% | 86.67% | 100% | 100% |
| Vesting | 96.55% | 69.44% | 88.89% | 97.5% |
| BuybackVault | 100% | 61.76% | 100% | 100% |
| BurnReserve | 100% | 100% | 100% | 100% |
| Governance | 100% | 97.92% | 100% | 100% |
| IFRLock | 100% | 85.71% | 100% | 100% |
| PartnerVault | 98.31% | 84.51% | 100% | 99.33% |
| FeeRouterV1 | 100% | 96% | 100% | 100% |
Full coverage report: COVERAGE_REPORT.md
4. Reentrancy Protection
Every contract that performs external calls is protected against reentrancy attacks through one of two mechanisms: OpenZeppelin's ReentrancyGuard modifier or the Checks-Effects-Interactions (CEI) pattern.
| Contract | Protection | Details |
|---|---|---|
| IFRLock | ReentrancyGuard | OpenZeppelin nonReentrant modifier on both lock() and unlock() |
| BurnReserve | CEI Pattern | State updated before external token calls; Checks-Effects-Interactions enforced |
| BuybackVault | CEI Pattern | State updated before external calls; all token operations are the last statement |
| All external token calls are the last operation in their respective functions. | ||
5. Access Control Matrix
The following matrix shows which roles can call which functions on each contract. Owner refers to the contract owner (Governance after ownership transfer), Guardian is the emergency role, Anyone means any external address, and Self means the contract calling itself via a governance proposal.
| Contract | Owner | Guardian | Anyone | Self |
|---|---|---|---|---|
| InfernoToken | setFeeRates, setFeeExempt, setPoolFeeReceiver |
— | transfer, burn |
— |
| LiquidityReserve | withdraw, setMaxWithdraw |
pause, unpause |
— | — |
| Vesting | — | pause, unpause |
release (beneficiary only) |
— |
| BuybackVault | executeBuyback, setParams |
pause, unpause |
depositETH |
— |
| BurnReserve | burn, burnAll, setGuardian |
burn, burnAll |
deposit |
— |
| Governance | propose, execute, cancel, setGuardian, setOwner |
cancel |
— | setDelay |
| IFRLock | — | pause, unpause, setGuardian |
lock, unlock (own tokens) |
— |
6. Trust Model
Inferno is designed so that no admin can make instant changes — all actions require a 48-hour public timelock delay and can be cancelled by the Guardian. Multiple safeguards are layered to protect token holders and ensure transparent governance.
Key principle: No admin can make instant changes. All sensitive operations are gated by a 48-hour timelock via Governance, publicly visible on-chain, and cancellable by the Guardian.
- InfernoToken owned by Governance — all parameter changes (fee rates, exemptions) require a proposal with a 48-hour timelock before execution.
- Team tokens vested — 12-month cliff followed by 36-month linear release. No early access possible.
- Liquidity reserve locked — 6-month lock period with staged withdrawal limits after unlock.
- BuybackVault activation delayed — 60-day activation delay before the first buyback can be executed.
- Guardian is emergency-only — the Guardian role can pause contracts and cancel governance proposals, but cannot withdraw funds, execute proposals, or change parameters.
7. Known Limitations
While the Inferno contracts have been thoroughly tested and analyzed, the following limitations should be understood by users, integrators, and auditors.
| Limitation | Impact | Mitigation |
|---|---|---|
| Slither audit is static analysis only | Does not cover runtime exploits or economic attacks | Professional penetration test recommended before mainnet |
| Governance owner is currently a single EOA (deployer) — testnet configuration | Single point of failure for proposal creation | For mainnet, the owner role will be transferred to a multisig (recommended: 4-of-7 Gnosis Safe), with DAO governance planned for Phase 4 |
| No formal verification of mathematical properties | Fee calculations and vesting math are test-covered but not formally proven | Extensive unit tests with edge cases provide practical coverage |
| Fee-on-transfer can cause issues with some DeFi protocols | Protocols that don't account for transfer fees may receive fewer tokens than expected | Integrators must use balanceOf checks before and after transfer |
IFRLock requires feeExempt status |
Without fee exemption, unlock() fails due to balance mismatch from transfer fees |
IFRLock is set as fee-exempt during deployment; this must not be revoked |
Recommendation: A professional security audit by a reputable firm (e.g., Trail of Bits, OpenZeppelin, Consensys Diligence) is strongly recommended before mainnet deployment.
FeeRouter & Points Backend — Threat Model
FeeRouter Threats
| Attack | Mitigation |
|---|---|
| Voucher Replay | usedNonces[wallet][nonce] = true (on-chain) |
| Expired Voucher | block.timestamp > expiry check |
| Falscher Signer | ECDSA.recover == voucherSigner |
| Discount > Fee | Clamp: max(fee - discount, 0) |
| Arbitrary Adapter | whitelistedAdapters mapping |
| Signer kompromittiert | pause() + setVoucherSigner() via Governance |
| Fee ueber Cap | FEE_CAP_BPS = 25 hard-coded |
Points Backend Threats
| Attack | Mitigation |
|---|---|
| Bot farmt Punkte | Daily limits + rate limiting + SIWE |
| Voucher farming | 1 Voucher/Wallet/Tag + Expiry 7 Tage |
| SIWE Replay | Nonce pro Session, einmalig |
| JWT Faelschung | JWT_SECRET server-only, nie exposed |
| Sybil Wallets | Optional: min IFR Lock als Skin-in-game |
Important: IFR Points are not a token — no transfer value, no tradability, no monetary promise. They only reduce the protocol fee on a single swap.
On-Chain Audit (Sepolia Testnet)
Alle Werte sind live auf Sepolia verifizierbar.
Script: npx hardhat run scripts/onchain-audit.js --network sepolia
Contract Ownership
| Contract | Owner | Status |
|---|---|---|
| InfernoToken | Governance (Timelock) | OK |
| IFRLock | admin-Pattern | OK |
| PartnerVault | Governance (Timelock) | OK |
| FeeRouterV1 | Governance (Timelock) | OK |
| LiquidityReserve | Deployer | Testnet |
| BuybackVault | Deployer | Testnet |
| BurnReserve | Deployer | Testnet |
Token Supply Verteilung
| Wallet | IFR | % |
|---|---|---|
| LP Pair | 400,000,000 | 40.08% |
| LiquidityReserve | 200,000,000 | 20.04% |
| Vesting (Team, 4 Jahre) | 150,000,000 | 15.03% |
| Deployer (Treasury+Community) | 169,387,995 | 16.97% |
| PartnerVault | 40,000,000 | 4.01% |
| Verbrannt (Deflation) | 2,000,425 | 0.20% |
Vesting (Team)
- Balance: 150,000,000 IFR (15%)
- Cliff: 365 Tage (bis ca. Januar 2027)
- Duration: 1,460 Tage (4 Jahre linear)
- Released: 0 IFR
Deflation (Live)
Seit Deploy wurden 2,000,425 IFR permanent verbrannt (0.20% des Supply). Deflation funktioniert on-chain nachweisbar.
TODOs vor Mainnet: LP Tokens locken/burnen, LiquidityReserve/BuybackVault/BurnReserve Ownership → Governance. Details: TRANSPARENCY.md | Mainnet Checklist