SECURITY · DISCLOSURE V1.0 · LAST UPDATED 17 MAY 2026

Smart Contract Audit.

Internal collaborative audit Claude × Gemini · 15/15 findings closed · 12/12 Foundry invariants · Ownable2Step + Pausable + ReentrancyGuard · Gnosis Safe 2-of-3 multisig planned · Bug bounty pool $10k dedicato · max €25k single high-severity.

Summary

Numeri della disclosure SC_AUDIT v1.0 (audit/SC_SECURITY_DISCLOSURE.md).

15 / 15

Findings closed

0 crit · 2 high · 4 med · 6 low · 3 info

12 / 12

Invariants covered

Foundry fuzz 256 runs

49 / 49

Unit tests passing

Hardhat suite

0.8.27

Pragma frozen

Pre-deploy lock

Findings

12 findings categorizzati per severity · tutti closed

#1HIGH

tokenOut lockup via SDK calldata bug

→ swapWithFee(tokenIn, tokenOut, ...) + post-swap sweep tokenOut → msg.sender

#2HIGH

rescueTokens hardcoded recipient

→ Recipient parameter esplicito + zero-address guard

#3MED

setDexAllowed no-timelock

→ Asymmetric timelock: queueDexAllowed 24h + revokeDexAllowed immediate

#4MED

Fee-on-transfer multiplicative effect on treasury

→ Documented tradeoff + off-chain correction

#5MED

No emergency pause

→ OpenZeppelin Pausable: pause / unpause only-owner

#6MED

No TVL cap (large swap exposure)

→ Rolling 24h cap per-token (raw, Opzione C). Chainlink upgrade @ $100k MRR

#7LOW

Ownable single-step (misclick risk)

→ Ownable2Step (transferOwnership → acceptOwnership)

#8LOW

Constructor non emette TreasuryUpdated

→ Emit TreasuryUpdated(0x0, treasury) in constructor

#10LOW

setDexAllowed(treasury, true) possible

→ Revert DexCannotBeTreasury su add. Revoke sempre safe

#13LOW

Pragma caret ^0.8.20

→ Pragma freezed a 0.8.27 (fisso)

#14LOW

AA bundler caller pattern (msg.sender)

→ Documentation: caller deve essere EOA o Smart Wallet, NON EntryPoint diretto

#15LOW

safeIncreaseAllowance non gestisce USDT

→ forceApprove (OZ v5 best practice)

Responsible disclosure

Pool $10k · max €25k single high-sev · PGP first-touch 60 min · safe-harbor policy

Bug Bounty

Pool $10k dedicato · max single payout €25k per high-severity verified · tier rewards $50-$25,000 EUR equivalent · setup HackenProof in corso · pubblicazione ufficiale entro 30 giorni dal mainnet deploy.

$10k / €25k

Pool dedicato · max single high-sev

PGP

Email + PGP

security@pulsentric.com · 60 min first-touch guarantee · PGP encrypted submissions.

Safe Harbor

Good-faith security research protected · no legal action contro ricercatori che agiscono in good faith.

Submit disclosure →View on GitHub ↗Full disclosure doc

DYOR · Pulsentric provides data and analytics, not investment advice · Smart contract audit public · MiCA compliant