Chatllat Info
Chatllat is a next-generation freelancing and service marketplace designed to solve trust, transparency, and efficiency problems present in traditional gig platforms. Existing platforms rely heavily on centralized control, opaque dispute resolution, delayed payments, and limited protection against fraud and scams.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner cannot set high fees
The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.
Contract cannot be locked
Owner cannot lock any user funds.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is not renounced
The owner retains significant control, which could potentially be used to modify key contract parameters.
Contract is upgradeable
The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Ownership Privileges
DEFAULT_ADMIN_ROLE
- Can unlock 50,000,000 tokens immediately for the caller.
- Can create vesting schedules for the second partner allocation (70M pool).
- Can release 100,000,000 tokens to a liquidity pool address.
- Can update the controller address (though the address is currently unused).
- Can unlock 70,000,000 community tokens immediately to a receiver.
- Can toggle the pause state.
- Can manage all other roles (Inherited from AccessControl).
VESTING_ADMIN
- Can create vesting schedules for team members (180M pool).
- Can create vesting schedules for advisors (50M pool).
- Can create vesting schedules for community members (80M pool).
TREASURY_ADMIN
- Can release the initial 20,000,000 treasury tokens.
- Can Drip-feeds the remaining 180,000,000 treasury tokens over time.
STAKING_ADMIN
- Can designate the staking contract address (and grants it the STAKING_ADMIN role).
- Can trigger the release of staking rewards to the staking contract.
Note - This Audit report consists of a security analysis of the Chatllat smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the Chatllat team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
medium Issues | 4 findings
Resolved
#1 medium Issue
Incorrect Vesting Logic & Missing Allocation Tracking
The function addVestingScheduleForStrategicPartner2 contains a critical logic flaw where it assigns the entire STRATEGIC_PARTNER_2_VESTING allocation (70,000,000 tokens) to every beneficiary added, rather than allowing the admin to specify a portion of the pool. Furthermore, the function fails to track the total number of tokens allocated against this specific pool's cap. This allows the admin to create multiple schedules that collectively exceed the contract's total supply, leading to a scenario where the contract becomes insolvent and cannot fulfill all vesting claims (a "race to claim" scenario).
Resolved
#2 medium Issue
Missing Cumulative Allocation Tracking for Vesting Schedules
Three vesting functions (Core Team, Advisors, and Community Incentives) contain a critical logic flaw where they validate only the individual allocation amount against the total category cap (CORE_TEAM_ALLOCATION, ADVISORS_ALLOCATION, and COMMUNITY_INCENTIVES_CLIFF). None of these functions tracks the cumulative total of tokens already assigned to previous beneficiaries. This omission allows the Vesting Admin to repeatedly add new schedules that, in aggregate, exceed the total token supply allocated for these categories. For example, the admin could assign the full 180M Core Team allocation to User A, and then another 180M to User B. This "double-spending" of the allocation budget will lead to contract insolvency, creating a race condition where the last beneficiaries to claim their vested tokens will fail due to insufficient contract balance.
Resolved
#3 medium Issue
Incorrect Tracking of Staking Rewards Emission
The releaseStakingRewards function incorrectly calculates the remaining staking reward allocation by subtracting the current balance of the staking contract (balanceOf(_stakingContract)) from the total STAKING_REWARDS_ALLOCATION. This logic is flawed because the staking contract is expected to distribute tokens to users, which decreases its balance. As the staking contract spends funds, the calculated "remaining allocation" artificially increases, causing the main token contract to believe it has not yet fulfilled its obligation. This effectively allows the staking contract to be "refilled" indefinitely, potentially draining the main contract beyond the intended 50 million token cap.
Resolved
#4 medium Issue
Missing whenNotPaused Checks on Critical Functions
The contract implements pause() and unpause() functions and inherits from PausableUpgradeable, but the crucial whenNotPaused modifier is never applied to any state-changing functions (such as transfer, transferFrom, releaseVested, or emitTreasuryFunds). Furthermore, the contract does not override the _update function to enforce the pause state during token transfers. As a result, triggering the pause mechanism updates the _paused boolean but fails to stop any contract activity. Users can continue to transfer tokens and claim vesting schedules even when the contract is supposedly "paused" during an emergency.
low Issues | 2 findings
Resolved
#1 low Issue
Ineffective Logic for Community Controller
The state variable communityIncentivesController is declared and has a setter function setCommunityIncentivesController that allows the admin to update it. However, this variable is never used in any access control checks or business logic (e.g., require(msg.sender == communityIncentivesController)). As a result, setting this address has no effect on the contract's behavior, potentially misleading users into believing a specific governance mechanism exists when it does not.
Resolved
#2 low Issue
Incorrect Identification of Community Incentive Releases
The releaseVested function attempts to identify "Community Incentive" vesting schedules implicitly by checking if schedule.totalAllocation <= COMMUNITY_INCENTIVES_CLIFF (80,000,000 tokens). This logic is flawed because other categories (e.g., Advisors or Team Members) may also have individual allocations smaller than this threshold. Consequently, legitimate releases from other pools will be incorrectly recorded as Community Incentive releases, incrementing the communityIncentivesVestedReleased counter and emitting misleading events. This corrupts the contract's internal accounting and on-chain data accuracy.
informational Issues | 6 findings
Resolved
#1 informational Issue
Floating pragma solidity version.
Adding the constant version of solidity is recommended, as this prevents the unintentional deployment of a contract with an outdated compiler that contains unresolved bugs.
Resolved
#2 informational Issue
Unused State Variables and Events
The state variable strategicPartner2TokensVested is declared but never written to or read within the contract logic. Similarly, the event StrategicPartner2TokensVested is defined but never emitted. The vesting logic for Strategic Partner 2 uses the generic vestingSchedules mapping, rendering these specific definitions redundant. This increases the contract size and deployment gas costs without providing any functionality.
Resolved
#3 informational Issue
Missing Event Emission for Sensitive Parameter Update
The function setCommunityIncentivesController allows the Default Admin to update the communityIncentivesController address but fails to emit an event upon successful execution. Changing a privilege-holding address is a critical state change that should be observable by off-chain monitoring tools and users for transparency. Without an event, this change occurs "silently," making it difficult to track governance history or detect unauthorized updates.
Resolved
#4 informational Issue
Treasury Emission Schedule Drift
The emitTreasuryFunds function uses lastTreasuryEmissionTime = block.timestamp to reset the vesting timer after each withdrawal. This implementation causes "time drift" because it effectively discards the time gap between when the funds became available and when the transaction was actually mined. If the administrator calls the function irregularly (e.g., days or weeks after the tokens unlocked), the emission schedule permanently shifts forward. Over the 5-year period, these accumulated delays mean the full distribution will take significantly longer than intended, deviating from the project's whitepaper or tokenomics schedule.
Resolved
#5 informational Issue
Missing Constructor in Upgradeable Implementation
The implementation contract (the logic contract behind the proxy) lacks a constructor with the _disableInitializers() call. In OpenZeppelin upgradeable contracts, it is standard security practice to lock the implementation contract upon deployment to prevent it from being initialized directly. Without this lock, an attacker could theoretically call initialize() on the logic contract, claim ownership, and potentially confuse off-chain indexers or disrupt the contract state (though they cannot access proxy funds). We have verified on-chain that the deployer successfully initialized the implementation contract immediately after deployment. Since the initializer modifier prevents re-initialization, the window of vulnerability is effectively closed, and no further action is required for the current deployment.
Resolved
#6 informational Issue
Redundant Event Emission in Pause/Unpause Logic
The pause and unpause functions trigger the internal _pause() and _unpause() methods from OpenZeppelin's PausableUpgradeable library, which automatically emit standard Paused(address account) and Unpaused(address account) events. However, the contract also manually emits a custom TokensPaused(bool) event immediately after. This results in two events being emitted for the same action, increasing gas costs and cluttering the transaction logs without providing additional useful information.