Sample Report — Real Audit Data

See What You Get

This is a real audit report from a 3-contract token system (476 lines of Solidity). 3 teams, 34 agents, 29 raw findings reduced to 13 confirmed after falsification.

13
Confirmed Findings
2
High Severity
5
Disproved (Falsification)
476
Lines Analyzed

Sample Findings

HA-001HIGH3/3 teams

Token burn without holder approval

Owner can unilaterally destroy any holder's tokens without allowance check. All three teams flagged this as a centralization risk.

HA-002HIGH1/3 teams

Cross-token burn coupling

If one token hits its burn floor, the other token's scheduled burns also stall due to atomic transaction failure.

HA-003MEDIUM2/3 teams

Access control role divergence

Admin roles don't auto-transfer with ownership change. Two teams identified this as an operational risk.

HA-004MEDIUM1/3 teams

30-day interval drift

Burn schedule uses 30-day intervals (not calendar months), completing ~25 days early over 5 years.

HA-005MEDIUM1/3 teams

Allowance exhaustion risk

5-year burn schedule requires pre-approved allowances. If allowance runs out, burns stall silently.

HA-006LOW2/3 teams

Year index fragility

Array index safe with current constants but would fail if parameters are modified without array update.

HA-007LOW3/3 teams

No emergency stop on burn schedule

Once started, scheduled burns cannot be paused. Halt requires revoking permissions across multiple contracts.

HA-008INFO1/3 teams

Missing initial event emission

Constructor sets a parameter without emitting the update event, making off-chain tracking harder.

Sample — Rust / Solana (Anchor)

Solana Program Findings

From a 320-line Anchor staking program. Same 3-team methodology, Solana-specific checks.

HA-001HIGH3/3 teams

Missing signer check on withdraw instruction

The withdraw function accepts any account as authority without verifying it signed the transaction. An attacker could drain any user's staked tokens.

HA-002HIGH2/3 teams

PDA seed collision between user accounts

User stake accounts derived with only [user_pubkey] as seed. If program is invoked with different bump, a second account can be created for the same user.

HA-003MEDIUM3/3 teams

Unchecked arithmetic in reward calculation

Reward calculation uses unchecked multiplication that could overflow in release mode, producing incorrect reward amounts.

HA-004MEDIUM2/3 teams

Missing account close drain

When unstaking, the account is not zeroed before closing. Remaining lamports could be reclaimed by re-initializing the account in the same transaction.

HA-005LOW3/3 teams

No freeze authority validation

Token accounts used for staking don't verify freeze authority is null. A frozen token account would lock user funds permanently.

The full report includes more

Each finding comes with detailed description, impact analysis, code location, fix recommendation with code snippets, and proof-of-concept where applicable. Plus the full correction log showing how teams cross-verified each finding.

Get Your Own Report — $99