The WATT protocol allows users to be at risk of LP tokens from providing liquidity. Starkers collect rewards with packaging and wrapping tokens and trading fees.
WATT worked with Ackee Blockchain Security to provide security review as a total time donation of engineering days between May 28 and May 13, 2025.
Secondly, the revision of the previous revision was conducted, and it was conducted between June 25 and June 27.
methodology
We started to review as we became accustomed to the core concepts and main functions of the protocol, including reading the documents provided by the client. At the early stages of this audit, we aimed to collect comprehensive information on the expected work of the protocol, logic and potential vulnerabilities.
In the second stage, I started to dig deeper into the code base. We have begun writing a concept proof (POC) test to verify the core functions of the protocol, observe the operation, and test the vulnerability hypothesis. At this stage we have paid special attention to ensuring the following.
- The core protocol function is accurate and works as expected.
- User funds are always safe.
- All cross program calls (CPIs) are implemented and verified correctly.
- All accounts that enter the instructions are correctly used, modified and verified.
- The protocol works fairly for all users.
- There is no excessive administrator authority. and
- All calculations are correct.
range
The audit was performed at Commit 78128cf And the range is as follows:
- Watt protocol except external dependencies.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review has gained 20 results, from information to critical seriousness. Review review caused a new discovery (W5).
All critical, high and intermediate severity results were solved by customers, and all warning and information severity results were fixed, partially fixed or recognized by customers.
Threshold
C1: inconsistent LP tokens and full status verification lead to expanded rewards.
C2: due to the wrong return statement, liquidity can be wrong
C3: Repeated initialization of possibilities that can accumulate additional fees from users through the amplifier configuration
C4: You can withdraw completely while maintaining the staying position.
C5: Repeated steak steak cycle enables unlimited fluid multiplication.
C6: FeeConfig is missing a zero -blood mint by missing an validation test.
C7: You can use a fraudulent Raydium pool to get a staying reward for useless LP tokens for legitimate tokens.
The severity is high
H1: Detailed by 0 in detail from unitized global accumulators
H2: Protocol status resets discard cumulative fees
H3: Preemptive Lamport Transfer blocks MINT initialization
H4: Unlimited fee configuration allows excessive fees.
Intermediate
M1: Unproven tokens -2022 expansion enables vaulted drainage.
M2: Unproven freeze authorities enable permanent fund locking
M3: Unproven fee configuration can prevent token loosening
Low severity
There is no problem with low severity.
Significance of warning
W1: Distribution Speed initialization Block fee billing
W2: Insectable name designation between EPOCH field and slot data
W3: A single field update requires a complete re -entry
W4: Mint Authority Verification has been placed in the wrong instructions
W5: When the transfer fee is updated, the Feeconfig account is not updated.
Information seriousness
I1: Unnecessary / Unusual Source Code
I2: If possible, use Raydium SDK instead of self -implementation.
Trust model
WATT does not implement a role -based access control (RBAC) mechanism. But there are two roles used in the protocol.
The user must trust the following entity.
- Protocol manager, update fairly and accurately
FeeConfigAll important commission parameters and rates of the protocol are included. - Manager, to update correctly
MetadataWatt tokens; - Administrator, appointment
AmplifiersFairly, responsible, precisely; and - In order for this entity’s signature to introduce a new token, the server is the server to avoid overly censoring the token initialized by the protocol.
conclusion
AcKee Blockchain Security recommends watt protocols.
- Modify the issues found during the audit before proceeding with production.
ACKEE BLOCKCHAIN Security’s entire watt protocol audit report can be found here..
We were happy to work with Watt and expect to work with them again.