Security & Audit
Static analysis results, test coverage, reentrancy protections, access control matrix, trust model, and known limitations.
Full on-chain + GitHub + Wiki review. All claims verified. Zero discrepancies.
1. Slither Security Audit
All Inferno contracts were analyzed with Slither v0.11.5, the leading static analysis framework for Solidity. The audit completed with zero high or critical findings.
Result: 0 High / Critical findings — 51 initial detections, 15 fixed, 36 accepted (informational or false positives).
- Tool: Slither v0.11.5
- Initial findings: 51
- Fixed: 15
- Accepted (informational / false positives): 36
Fixes Applied
| Detector | Count | Fix Applied |
|---|---|---|
missing-zero-check |
4 | Added require != address(0) in BuybackVault constructor + setParams |
reentrancy-benign |
2 | Applied CEI (Checks-Effects-Interactions) pattern in BurnReserve |
immutable-states |
5 | Made owner, burnReserve, guardian immutable in BurnReserve, BuybackVault, LiquidityReserve |
unindexed-event |
4 | Added indexed to Pause/Unpause events in BuybackVault, LiquidityReserve |
2. Claude Security Audit (Internal)
All 14 contracts were reviewed line-by-line by Claude Opus 4.6 across 10 check categories: reentrancy, access control, integer overflow, front-running, DoS, centralization, fee edge cases, timelock bypass, feeExempt manipulation, and owner privileges.
Result: 0 FAIL — 12 WARN — 78 PASS — Full Report
Top Findings (Medium)
| # | Contract | Finding | Status |
|---|---|---|---|
| W1 | Governance | setOwner() bypasses timelock — immediate ownership transfer |
Multisig planned |
| W2 | Governance | Single owner key = single point of failure | ✅ Resolved — TreasurySafe 3-of-5 (20.03.2026) |
| W3 | BuybackVault | setParams has no bounds on burnShareBps, slippageBps, cooldown |
Fix in v3 |
| W4 | BuybackVault | Uniswap swap MEV-vulnerable (sandwich within slippage tolerance) | Flashbots on mainnet |
Community Audit Open
All contracts are open source. Security findings welcome via GitHub Issues.
3. Test Coverage
The project maintains 544 tests (367 contract + 77 app + 100 vault) across 18 test suites, all passing. Tests cover deployment, core logic, edge cases, access control, pause mechanisms, cross-contract integration, wallet verification, governance announcements, and browser testing.
544 / 544 tests passing — 20 test suites, 0 failures.
| Test Suite | Tests | Coverage Areas |
|---|---|---|
| InfernoToken | 22 | Deployment, fee math, exemptions, owner functions, edge cases |
| LiquidityReserve | 42 | Lock period, staged withdrawal, pause, period limits, transferOwnership, edge cases |
| Vesting | 21 | Cliff, linear release, access control, pause, constructor, edge cases |
| BuybackVault | 26 | Deposit, buyback split, cooldown, slippage, activation delay, transferOwnership, edge cases |
| BurnReserve | 27 | Deposit, burn, burnAll, tracking, guardian auth, transferOwnership |
| Governance | 36 | Propose, execute, cancel, self-governance, integration |
| IFRLock | 37 | Lock, unlock, re-lock, isLocked, lockType, fee-exempt, pause, multi-user |
| PartnerVault | 95 | Builders, milestones, rewards, vesting, claims, authorizedCaller, anti-double-count, algo throttle, annual cap, bounds |
| FeeRouterV1 | 33 | Deployment, fee charging, voucher discount, voucher validation (isVoucherValid), replay protection, signer rotation, fee collector, access control, pause, receive ETH |
| BuilderRegistry | 27 | Register, remove, update, category validation, access control, views, edge cases |
| VoteAnnouncement | 12 | Deduplication, state detection (new/executable/executed/cancelled), calldata decode, multi-proposal polling |
| AnnouncementBot | 10 | Community link, channel sync, auto-pin, admin guards, topic IDs, no German strings, test commands |
Run the full test suite:
npx hardhat testSolidity Coverage (solidity-coverage)
Code coverage measured with solidity-coverage. Overall: 99% statements, 91% branches, 98% functions, 99% lines.
| Contract | Stmts | Branch | Funcs | Lines |
|---|---|---|---|---|
| InfernoToken | 100% | 92.86% | 100% | 100% |
| LiquidityReserve | 100% | 86.67% | 100% | 100% |
| Vesting | 96.55% | 69.44% | 88.89% | 97.5% |
| BuybackVault | 100% | 61.76% | 100% | 100% |
| BurnReserve | 100% | 100% | 100% | 100% |
| Governance | 100% | 97.92% | 100% | 100% |
| IFRLock | 100% | 85.71% | 100% | 100% |
| PartnerVault | 98.31% | 84.51% | 100% | 99.33% |
| FeeRouterV1 | 100% | 96% | 100% | 100% |
Full coverage report: COVERAGE_REPORT.md
Internal Security Review — Bootstrap Flow
Date: 13 March 2026 | Scope: BootstrapVaultV3, InfernoToken, FeeRouterV1, Governance/Timelock
Method: Manual code review + 544 automated tests (91% branch coverage)
The 3 low-risk findings are structural design choices, not vulnerabilities:
- Front-running — neutralized by pro-rata distribution and 2 ETH cap
- 100% refund scenario — remaining IFR tokens locked permanently (effectively burned by design)
- Frontend is read-only — no Web3 write calls, users interact directly via Etherscan
This is an internal review, not a professional third-party audit. Full technical report: audit/BOOTSTRAP_SECURITY_REVIEW_13032026.md. A formal audit by an independent firm is planned before Phase 3.
4. Reentrancy Protection
Every contract that performs external calls is protected against reentrancy attacks through one of two mechanisms: OpenZeppelin's ReentrancyGuard modifier or the Checks-Effects-Interactions (CEI) pattern.
| Contract | Protection | Details |
|---|---|---|
| IFRLock | ReentrancyGuard | OpenZeppelin nonReentrant modifier on both lock() and unlock() |
| BurnReserve | CEI Pattern | State updated before external token calls; Checks-Effects-Interactions enforced |
| BuybackVault | CEI Pattern | State updated before external calls; all token operations are the last statement |
| All external token calls are the last operation in their respective functions. | ||
5. Access Control Matrix
The following matrix shows which roles can call which functions on each contract. Owner refers to the contract owner (Governance after ownership transfer), Guardian is the emergency role, Anyone means any external address, and Self means the contract calling itself via a governance proposal.
| Contract | Owner | Guardian | Anyone | Self |
|---|---|---|---|---|
| InfernoToken | setFeeRates, setFeeExempt, setPoolFeeReceiver |
— | transfer, burn |
— |
| LiquidityReserve | withdraw, setMaxWithdraw |
pause, unpause |
— | — |
| Vesting | — | pause, unpause |
release (beneficiary only) |
— |
| BuybackVault | executeBuyback, setParams |
pause, unpause |
depositETH |
— |
| BurnReserve | burn, burnAll, setGuardian |
burn, burnAll |
deposit |
— |
| Governance | propose, execute, cancel, setGuardian, setOwner |
cancel |
— | setDelay |
| IFRLock | — | pause, unpause, setGuardian |
lock, unlock (own tokens) |
— |
6. Trust Model
Inferno is designed so that no admin can make instant changes — all actions require a 48-hour public timelock delay and can be cancelled by the Guardian. Multiple safeguards are layered to protect token holders and ensure transparent governance.
Key principle: No admin can make instant changes. All sensitive operations are gated by a 48-hour timelock via Governance, publicly visible on-chain, and cancellable by the Guardian.
- InfernoToken owned by Governance — all parameter changes (fee rates, exemptions) require a proposal with a 48-hour timelock before execution.
- Team tokens vested — 12-month cliff followed by 36-month linear release. No early access possible.
- Liquidity reserve locked — 6-month lock period with staged withdrawal limits after unlock.
- BuybackVault activation delayed — 60-day activation delay before the first buyback can be executed.
- Guardian is emergency-only — the Guardian role can pause contracts and cancel governance proposals, but cannot withdraw funds, execute proposals, or change parameters.
- Builder Vault (40M IFR) governance-locked — cannot be withdrawn directly. Released only through user adoption: when a user locks IFR for a Builder product, a % is automatically paid as reward (vested 6–12 months). If nobody locks, all 40M stay locked permanently.
7. Known Limitations
While the Inferno contracts have been thoroughly tested and analyzed, the following limitations should be understood by users, integrators, and auditors.
| Limitation | Impact | Mitigation |
|---|---|---|
| Slither audit is static analysis only | Does not cover runtime exploits or economic attacks | Professional penetration test recommended as next security milestone |
| Governance owner transferred to TreasurySafe 3-of-5 ✅ (20.03.2026) | Single point of failure resolved — 3-of-5 multisig now controls Governance | Ownership transferred via direct setOwner() on 20.03.2026 (TX). All Safes 3-of-5. LP Reserve under multisig (55%+ of supply under multisig control). DAO governance planned for Phase 5. |
| No formal verification of mathematical properties | Fee calculations and vesting math are test-covered but not formally proven | Extensive unit tests with edge cases provide practical coverage |
| Fee-on-transfer can cause issues with some DeFi protocols | Protocols that don't account for transfer fees may receive fewer tokens than expected | Integrators must use balanceOf checks before and after transfer |
IFRLock requires feeExempt status |
Without fee exemption, unlock() fails due to balance mismatch from transfer fees |
IFRLock is set as fee-exempt during deployment; this must not be revoked |
Recommendation: A professional security audit by a reputable firm (e.g., Trail of Bits, OpenZeppelin, Consensys Diligence) is strongly recommended as the next security milestone.
FeeRouter & Points Backend — Threat Model
FeeRouter Threats
| Attack | Mitigation |
|---|---|
| Voucher Replay | usedNonces[wallet][nonce] = true (on-chain) |
| Expired Voucher | block.timestamp > expiry check |
| Falscher Signer | ECDSA.recover == voucherSigner |
| Discount > Fee | Clamp: max(fee - discount, 0) |
| Arbitrary Adapter | whitelistedAdapters mapping |
| Signer kompromittiert | pause() + setVoucherSigner() via Governance |
| Fee ueber Cap | FEE_CAP_BPS = 25 hard-coded |
Points Backend Threats
| Attack | Mitigation |
|---|---|
| Bot farmt Punkte | Daily limits + rate limiting + SIWE |
| Voucher farming | 1 Voucher/Wallet/Tag + Expiry 7 Tage |
| SIWE Replay | Nonce pro Session, einmalig |
| JWT Faelschung | JWT_SECRET server-only, nie exposed |
| Sybil Wallets | Optional: min IFR Lock als Skin-in-game |
Important: IFR Points are not a token — no transfer value, no tradability, no monetary promise. They only reduce the protocol fee on a single swap.
On-Chain Audit
All values are verifiable on-chain via Etherscan. Contracts are deployed and verified on Ethereum Mainnet.
Contract Ownership
| Contract | Owner | Status |
|---|---|---|
| InfernoToken | Governance (Timelock) | OK |
| IFRLock | admin-Pattern | OK |
| PartnerVault | Governance (Timelock) | OK |
| FeeRouterV1 | Governance (Timelock) | OK |
| LiquidityReserve | Governance (Timelock) | OK |
| BuybackVault | Governance (Timelock) | OK |
| BurnReserve | Governance (Timelock) | OK |
Token Supply Distribution
| Wallet | IFR | % |
|---|---|---|
| LP Reserve Safe (3-of-5) | 400,600,000 | 40.06% |
| BootstrapVaultV3 | 200,000,000 | 20.00% |
| LiquidityReserve | 200,000,000 | 20.00% |
| Vesting (Team, 4 Years) | 150,000,000 | 15.00% |
| PartnerVault | 40,000,000 | 4.00% |
| Treasury Safe | 0 | 0.00% |
| Community Safe | ~7,900,000 | 0.79% |
| Burned (Deflation) | ~1,500,000+ | ~0.15% |
Vesting (Team)
- Balance: 150,000,000 IFR (15%)
- Cliff: 365 days (~March 2027)
- Duration: 1,460 days (4 years linear)
- Released: 0 IFR
Deflation (Live)
Since deployment, — IFR have been permanently burned (— of total supply). Deflation is provable on-chain.
• Connecting…
Pre-Mainnet Checklist — Completed (05.03.2026): All 17 protocol contracts deployed and verified on Ethereum Mainnet. Ownership transferred to Governance (LiquidityReserve, BuybackVault, BurnReserve). Details: Deployments | Mainnet Checklist
External Security Audit — InfernoToken.sol
Date: March 19, 2026 | Type: Independent AI Security Analysis | Scope: InfernoToken.sol (ERC-20 with fee-on-transfer)
Overall Assessment
Code quality: Good. Logic: Clean. No exploitable bugs found. Critical risks identified are mitigated by IFR’s Governance architecture (48h Timelock + TreasurySafe 3-of-5).
Findings & Mitigations
| Finding | Severity | IFR Mitigation | Status |
|---|---|---|---|
| Owner Control | Critical | Governance + 48h Timelock + TreasurySafe 3-of-5. No single person can make changes. | Mitigated |
| FeeExempt Logic | High | On-chain transparent, Governance-controlled. Only protocol contracts exempt — no DEX routers or insider wallets. | Mitigated |
| Rounding / Dust | Low | Minimal impact at 9 decimals. Not exploitable in practice. | Accepted |
| Decimals = 9 | Low / Design | Deliberate design choice. Fully compatible with Uniswap V2. | By Design |
Confirmed Strengths
- No Reentrancy Risk — no external calls in
_update() - Real Burn — tokens sent to
address(0), not fake burn - Fee Cap — hardcoded max 5%, cannot be exceeded
- No Mint — supply can only decrease, never increase
- OpenZeppelin v5 — current standard library
Why Critical Findings Are Mitigated
The audit correctly identified that Owner control is a risk in fee-on-transfer tokens. In IFR, this risk is eliminated by architecture:
- The token owner is the Governance Contract — not a person
- All changes require a 48-hour Timelock
- Governance is controlled by TreasurySafe 3-of-5 (5 signers, 3 required)
- Every feeExempt address is on-chain verifiable