Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

Flour Yield Token Info

wharfplan.com

FYT (Flour Yield Token) is a real‑world asset (RWA) token concept that ties basalt processing and application to regenerative outcomes such as soil remineralization and CO₂ drawdown. Tokens reflect programmatic rights and incentives across the supply chain — from quarry to field — enabling data‑backed claims and fair distribution.

Flour Yield Token Logo
Onboarded date 28/05/2026

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

48.28
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2026/05/28
Revision date 2026/05/28

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner can mint

It is possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Token transfer can be locked

Owner can lock user funds with owner functions.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Smart Contract Analysis Statement

Contract Analysis

The FlourYieldToken contract implements an ERC20 token with a fixed supply cap, burnable balances, EIP-2612 permits, a pause switch that stops transfers and mints while still allowing burns, and two owner-only rescue paths for stuck ERC20 and native HYPE. The design follows common patterns on Ethereum and the verified source matches the deployed bytecode exactly, but a few areas need attention:

  • The owner is a single externally owned account, so every privileged action depends on one private key. A leaked or coerced key directly enables a 50 percent supply dilution and an indefinite market freeze.
  • Ownership transfer is a single transaction with no acceptance step, which means a clipboard mistake on transferOwnership permanently relocates every admin power to the wrong address with no recovery path.
  • There is no timelock on mint, pause, unpause, rescueERC20, sweepNative, or transferOwnership, so holders have no advance notice and no time to react before an admin action settles in the same block.
  • The pause hook stops transfers and mints but lets burns through, including the allowance-based burnFrom path. An address that already holds a stale approval can therefore destroy a holder's balance during a pause, while the holder cannot move the same tokens out of harm's way. Choose the pause semantics deliberately and apply them consistently to burnFrom.

Ownership Privileges

The ownership of the contract has been set to an externally owned account at deployment and has not been renounced. The owner retains full privileges including:

  • Minting up to the immutable cap of 1.5 billion FYT, which at the time of review represents room for another 500 million FYT on top of the 1 billion already in circulation.
  • Pausing every transfer and every mint with a single transaction, with burns still allowed during the pause so holders can always exit by destroying their own tokens.
  • Rescuing any other ERC20 the contract happens to hold to an arbitrary recipient, with the only restriction being that the contract refuses to drain its own FYT.
  • Sweeping any native HYPE held by the contract to any address, although the contract has no receive function and is therefore unlikely to ever hold native balance in normal operation.
  • Ownership cannot be split into separate pauser, minter, or rescuer roles in the current design; everything is held by the same key.
  • There is no two-step ownership transfer, so the new owner does not have to accept the role before it takes effect.
  • There is no on-chain timelock between an owner signature and its effect, so every admin action settles in the same block.
  • The supply cap is enforced by an immutable value baked into the bytecode at deployment and cannot be raised by the owner under any circumstances.

Security Features

The contract implements several positive security features:

  • A hard supply cap of 1.5 billion FYT enforced by ERC20Capped, so even a compromised owner key cannot mint beyond the documented maximum.
  • The pause path blocks transfers and mints but explicitly allows burns, which preserves the right of holders to exit by destroying their own balance even while the rest of the market is frozen.
  • EIP-2612 permits with EIP-712 typed data, including chain id in the domain separator, which prevents cross-chain replay of signed approvals and lets integrators avoid the classic approve-and-transferFrom race.
  • Custom errors throughout the user code instead of revert strings, plus a clean inheritance chain built entirely on OpenZeppelin v5 components, which keeps the audit surface small and the gas footprint low.

Note - This Audit report consists of a security analysis of the FlourYieldToken smart contract. This analysis did not include economic analysis of the contract's tokenomics. Moreover, we only audited the main contract for the FlourYieldToken team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.

Files and details

Findings and Audit result

Critical
High
1
Medium
4
Low
5
Optimization
8
Informational
medium Issues | 1 findings

Pending

#1 medium Issue
Centralization - single-key EOA owner with immediate mint, pause, and rescue powers
FYT.sol
L12
L65-96
Description

The deployed owner is an externally owned account (its on-chain code is empty), confirmed at the audit block. That single private key can, with one signature and no delay, mint up to 500,000,000 additional FYT (a 50 percent dilution at the time of audit), pause every transfer and every mint indefinitely, drain any other ERC20 the contract happens to hold via rescueERC20, drain any native HYPE held by the contract via sweepNative, and hand ownership over to any address in one step. There is no timelock, no two-step transfer, and no on-chain governance, so a compromised or coerced key translates directly into supply dilution and a frozen market. The pause path does not block burns, so holders retain the ability to destroy their own tokens during a pause, which is the only mitigation that survives a key compromise.

Comments

Migrate ownership to a Gnosis Safe (or equivalent) with at least 2-of-3 signers held by separate hardware wallets, and route every administrative call through a TimelockController with a public delay of at least 24 hours. Consider partitioning the privileges - separate pauser, minter, and rescuer roles via AccessControl - so that no single signing event can mint, freeze the market, and drain unrelated tokens at once.

low Issues | 4 findings

Pending

#1 low Issue
Single-step ownership transfer
FYT.sol
L12
Description

The contract inherits OpenZeppelin Ownable, whose transferOwnership function hands the role over to the new address in the same transaction with no acceptance step. A clipboard mistake, a phished signature, or any other typo in the new owner address relocates every administrative privilege (mint, pause, rescue, ownership transfer) to an address the team does not control, with no recovery path because the previous owner loses access immediately.

Comments

Migrate the contract to OpenZeppelin Ownable2Step (or an equivalent two-step pattern) so that the incoming owner has to call acceptOwnership before they actually receive control. This avoids permanent, irreversible loss of administrative access if transferOwnership is ever called with a wrong address - a likely failure mode for a single-key EOA owner.

Pending

#2 low Issue
No timelock on privileged actions
FYT.sol
L65-96
Description

Mint, pause, unpause, rescueERC20, sweepNative, and transferOwnership all execute synchronously in the same block the owner signs. Holders have no advance notice and no time to react before a dilution event, a market freeze, or a fund movement. There is no on-chain delay between owner intent and effect.

Comments

Route every owner-only call through a TimelockController with a publicly visible delay of at least 24 hours. Mint events in particular are economically material to every holder and any delay materially reduces both insider abuse and the value of a leaked key.

Pending

#3 low Issue
Unrestricted scope of rescueERC20
FYT.sol
L83-88
Description

rescueERC20 lets the owner move any ERC20 the contract happens to hold to an arbitrary recipient in any amount. The function correctly refuses to touch the FYT contract itself, but any other token routed to this address - whether by airdrop, by user mistake, or by an upstream integration - can be drained in one signature. The event is emitted after the transfer, so observers only see the move once it has settled.

Comments

Document the operational policy for this function and, ideally, constrain the recipient to a fixed treasury address controlled by the same governance that holds ownership. Combining this restriction with the timelock recommendation above makes any rescue publicly observable before it settles.

Pending

#4 low Issue
burnFrom is not blocked during pause and lets approved spenders destroy holder balances
FYT.sol
L99-105
Description

The _update hook only blocks transfers where the recipient is non-zero, so any path that routes to address zero (i.e. a burn) is allowed during pause. ERC20Burnable.burnFrom calls _burn, which calls _update with to equal to address zero, so an approved spender can destroy the holder's tokens even when the contract is paused. transferFrom is correctly blocked, so the attacker cannot extract value, but they can permanently destroy up to the allowance amount.

Comments

Decide which pause semantics you actually want and apply them consistently. If pause is meant to fully freeze every balance change, block burns inside the _update hook by removing the to != address(0) condition. If pause is meant to let holders exit by burning their own balance but not let approved spenders destroy other holders' balance, override burnFrom with a whenNotPaused modifier so only burn(self) goes through. The current state, where the holder cannot transfer away but a stale approval can still destroy, is the worst of both options because the holder has no defence during the pause.

optimization Issues | 5 findings

Pending

#1 optimization Issue
Remove pass-through transfer / approve / transferFrom overrides
FYT.sol
L39-49
Description

The transfer, approve, and transferFrom overrides on the user contract only call the super implementation and add no behavior of their own. Removing them shrinks the bytecode and saves one internal call frame on every ERC20 operation.

Comments

Drop the three override functions. The inherited ERC20 implementations already have the same signature, the same visibility, and the same behavior; the overrides only add a layer of internal-call gas and a few extra bytes of bytecode without any new logic.

Pending

#2 optimization Issue
Mark non-internally-called functions as external
FYT.sol
L52-62
Description

Five user-facing functions are declared public, but none of them are called internally. Marking them external saves a small amount of gas per call and tightens the API surface against accidental internal use in future maintenance.

Comments

Change the visibility of transfer, approve, transferFrom, increaseAllowance, and decreaseAllowance from public to external. None of these functions are called from inside the contract, so the public modifier only forces an extra calldata-to-memory copy on every external call.

Pending

#3 optimization Issue
Declare constructor payable
FYT.sol
L29-36
Description

The constructor is non-payable, which causes the compiler to inject a runtime check that msg.value is zero. Since no constructor argument is meant to carry value, declaring the constructor payable is safe and slightly cheaper to deploy.

Comments

Add the payable modifier to the constructor. This removes the implicit msg.value equals zero check that the compiler inserts otherwise, saving about 21 gas on deployment and a few bytes of bytecode. There is no downside on a contract that is never expected to be funded with a value at construction time.

Pending

#4 optimization Issue
Redundant cap check in mint
FYT.sol
L67
Description

mint contains an explicit if totalSupply plus amount is greater than MAX_SUPPLY revert. ERC20Capped already enforces the same cap in its own _update override, which is called immediately after. The duplicate check reads totalSupply twice and only changes the revert reason.

Comments

Remove the manual cap check from mint and let ERC20Capped enforce the cap inside _update where it already lives. If a custom revert reason is preferred, override the cap check in _update rather than adding a second pre-check in mint. This avoids reading totalSupply twice and trims the function body.

Pending

#5 optimization Issue
Drop redundant pause and unpause pre-checks
FYT.sol
L72-80
Description

pause and unpause both perform a manual paused state check before calling the OpenZeppelin internal _pause or _unpause. The OpenZeppelin internals already revert via whenNotPaused and whenPaused, so the manual check is redundant and only changes the revert reason.

Comments

Remove the manual if paused revert and if not paused revert lines. OpenZeppelin _pause and _unpause already carry whenNotPaused and whenPaused modifiers and will revert with EnforcedPause and ExpectedPause respectively. Keep the custom errors only if a project-specific revert name is desired, but in that case drop one of the two layers.

informational Issues | 8 findings

Pending

#1 informational Issue
Checks-effects-interactions deviation in sweepNative
FYT.sol
L90-96
Description

sweepNative reads address(this).balance, performs a low-level value-bearing call, and only then emits NativeSwept. Even though onlyOwner prevents a re-entry path that could steal value, the event ordering means that any callback executed by the recipient runs after settlement but before the event is in the log, which can confuse off-chain indexers that rely on log order.

Comments

Move the NativeSwept emit to before the external call (the amount is already known at that point) and, as defense in depth, wrap the function with a ReentrancyGuard. There is no real funds-loss vector here because the function is owner-only, but cleaning up the ordering removes a class of integrator confusion entirely. Downgraded from low to informational in the second pass after the peer review pointed out that onlyOwner closes the only re-entry route.

Pending

#2 informational Issue
Permissive Solidity pragma
FYT.sol
L2
Description

The source pragma is set to caret-0.8.20, which accepts every 0.8.x compiler from 0.8.20 onwards. The contract was deployed with 0.8.31, which is unaffected by the known issues VerbatimInvalidDeduplication, FullInlinerNonExpressionSplitArgumentEvaluationOrder, and MissingSideEffectsOnSelectorAccess that exist in the 0.8.20 to 0.8.24 window. Within this repository the build pins 0.8.31 via foundry.toml, but the verified source on the explorer carries the permissive pragma, which propagates to forks, re-deployers, and tutorials.

Comments

Pin the pragma to the exact compiler that produced the verified deployment, that is pragma solidity =0.8.31. Treat the pragma as part of the build manifest and keep it locked together with the optimizer settings. Downgraded from low to informational because foundry.toml in this repository already pins solc_version to 0.8.31, so the practical impact is limited to anyone re-using the verified source outside this build environment.

Pending

#3 informational Issue
Pause and unpause pre-checks duplicate OpenZeppelin modifiers
FYT.sol
L72-80
Description

The pause function manually reverts with PausedError before calling _pause, but _pause already carries the whenNotPaused modifier and will revert with EnforcedPause. The same observation applies to unpause and NotPausedError. The behavior is identical, only the revert reason differs.

Comments

Either drop the manual paused state checks and let _pause and _unpause revert via their own modifiers, or remove the inherited modifiers and keep the custom errors. Keeping both is just a stylistic duplicate.

Pending

#4 informational Issue
Public functions never called internally
FYT.sol
L39
L43
L47
L52
L57
Description

transfer, approve, transferFrom, increaseAllowance, and decreaseAllowance are declared public, but the contract never calls them from inside its own code. external is the appropriate visibility.

Comments

Mark these functions external. There is no internal caller for any of them, so the public visibility only forces an extra calldata-to-memory copy per external call.

Pending

#5 informational Issue
Pass-through overrides on transfer, approve, transferFrom
FYT.sol
L39-49
Description

transfer, approve, and transferFrom are overridden only to call the super implementation. They add no logic, no event, and no validation that is not already in OpenZeppelin ERC20.

Comments

Remove the three pass-through overrides. The inherited functions already have the same signature and visibility, so the overrides only add bytecode and an internal call without any new logic.

Pending

#6 informational Issue
increaseAllowance and decreaseAllowance re-introduced after the OpenZeppelin v5 removal
FYT.sol
L52-62
Description

OpenZeppelin v5 removed increaseAllowance and decreaseAllowance from ERC20 because they do not actually fix the approve race condition that motivated them, and because EIP-2612 covers the same use case more securely. Re-adding them is a UX or back-compat choice, but the underlying race remains.

Comments

Document the rationale for keeping these helpers in NatSpec, or remove them and rely on permit. The functions do not solve the approve race condition and OpenZeppelin removed them in v5 for that reason.

Pending

#7 informational Issue
Missing NatSpec
FYT.sol
L1-107
Description

No external or public function carries NatSpec documentation. Custom errors, events, and the constructor are also undocumented.

Comments

Add at minimum a NatSpec block for every external function and every event, with notice, param, and return tags where applicable. Indexers, wallets, and end users all benefit, and the documentation also makes the team intent reviewable on-chain via the verified source.

Pending

#8 informational Issue
sweepNative is largely unreachable in normal operation
FYT.sol
L90-96
Description

The contract has no receive function and no payable constructor. Native HYPE can therefore only end up at this address via selfdestruct from another contract, which has been deprecated since the Cancun upgrade, or via a coinbase reward. Neither is a path that the contract is likely to ever encounter in production.

Comments

Document in NatSpec that this function exists as emergency recovery for the corner cases above and is not expected to fire during normal operation. This makes the operational intent explicit for anyone reviewing the verified source.