Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

REKT Info

rektdrop.wtf

There once was a trader who lost everything. Not just once — every time. While others flexed profits, he became a meme. But instead of rage-quitting, he built something greater: $REKT — the first meme token that rewards your losses. Built on Solana. Powered by pain. Fueled by memes. This is for everyone who’s ever said, “I’m down bad,” and meant it.

REKT Logo
Onboarded date 30/09/2025

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

80.00
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"\"\\\"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review\\\"\""
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Rust
Onboard date 2025/09/30
Revision date 2025/10/01

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is not renounced

The owner retains significant control, which could potentially be used to modify key contract parameters.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Ownership Privileges
start_tge.rs
  • The admin can end the presale and start the token generation event.
buy.rs
  • The admin can call the buy function in presale.

Note - This audit report consists of a security analysis of the REKT-DEFI contracts. This analysis did not include functional testing (or unit testing) of the token’s logic. Furthermore, we only audited the mentioned contract associated with this project. Other contracts related to this project were not audited by our team. We recommend investors conduct their own research before engaging with the token.

Files and details

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Functions
public

/

State variables
public

/

Total lines
of code

/

Capabilities
Hover on items

/

Findings and Audit result

Critical
High
Medium
Low
Optimization
Informational
medium Issues | 3 findings

Resolved

#1 medium Issue
Centralized Control Over Presale Token Allocation
buy.rs
L5-22
Description

The buy function is an admin-only instruction that allows the designated authority to credit any user with an arbitrary amount of presale tokens. The core issue is that this process lacks any on-chain payment verification, forcing all participants to trust the admin to act honestly and competently. While this design may be intentional to support off-chain processes like KYC or private funding rounds, it introduces a significant centralization risk. A malicious or compromised admin could unfairly distribute tokens, and if the admin key is lost, no further allocations can be made. This model shifts the security from trustless code to trusting a single entity, which can undermine investor confidence.

Comments

To address the centralization risk, the presale process should be redesigned to be trustless and verifiable on-chain. This involves two main changes. First, to handle a permissioned sale (like for KYC'd users) without a central admin, an on-chain whitelist should be implemented using a Merkle tree. The admin would generate a Merkle root from the list of approved wallet addresses and store this single hash in the PresaleState. Each approved user would then receive a unique Merkle proof, which they would provide when calling the buy function. The smart contract would validate this proof against the stored root, confirming the user's eligibility in a decentralized manner. Second, the buy instruction should be made public and modified to include an on-chain payment mechanism. Instead of the admin manually assigning tokens, the function should require the user to transfer funds (such as SOL or USDC) to a secure, program-controlled vault. The smart contract would then calculate the corresponding token allocation based on a pre-defined price, ensuring a transparent and fair exchange that is publicly auditable on the blockchain. This combined approach removes the need to trust a central administrator and creates a robust, decentralized presale system.

Resolved

#2 medium Issue
Precision Loss in Vesting Calculation
claim_unlocked_from_vesting.rs
L7-64
Description

The formula used to calculate a user's unlocked tokens on lines 18-23 performs integer division at multiple intermediate steps (e.g., bought_token * 30 / 100). Because standard integer arithmetic truncates all decimal values, any fractional part of a token that a user is rightfully owed is rounded down and permanently lost during the calculation. This results in users consistently receiving less than their entitled amount, with the residual "dust" tokens becoming impossible to claim and effectively locked within the contract forever.

Comments

The vesting calculation logic should be refactored to preserve precision. The recommended approach is to first cast all numerical values to a higher-precision integer type, like u128. Then, restructure the formula to perform all multiplication operations before any division operations.

Resolved

#3 medium Issue
Compounding Rounding Errors Cause Permanent Loss of User Funds
rage_claim.rs
L15-134
Description

The rage_claim function calculates the user's final token withdrawal through several sequential steps, each involving percentage-based calculations. The current implementation uses standard integer math (u64) which truncates, rather than rounds, any decimal remainders. This flaw causes small, but compounding, amounts of tokens to be lost at each stage of the calculation, resulting in a direct financial loss for the user, as the lost fractional tokens become permanently locked in the contract. For example, consider a user who bought 999 tokens and decides to rage claim immediately with a 20% penalty. The code first calculates the 30% TGE unlock as 999 * 30 / 100, which equals 299, when the correct amount is 299.7, meaning 0.7 tokens are immediately lost. The code then calculates the penalty on an incorrect locked amount of 700 tokens (999 - 299), resulting in further inaccuracies. In this specific scenario, the compounding rounding errors across the different stages of the calculation would cause the user to permanently lose a total of 1.26 tokens that they were rightfully owed.

Comments

To prevent this permanent loss of funds, all financial logic within the function must be refactored to preserve mathematical precision. The standard and most effective mitigation is to perform all intermediate calculations using a higher-precision integer type, such as u128, to prevent overflows. All initial u64 values should be cast to u128 before being used in formulas. Crucially, the order of operations must be structured to perform all multiplications before performing any divisions.

low Issues | 2 findings

Resolved

#1 low Issue
Use of .unwrap() on Arithmetic Operations
claim_unlocked_from_vesting.rs
L21
L22
L29
L38
L39
Description

The code uses .unwrap() immediately following a checked arithmetic operation. While checked arithmetic prevents silent overflows and underflows, the use of .unwrap() creates a fragile failure model. If any of these operations were to fail (e.g., from an unexpected underflow in the pool's balance), the program would panic. A panic halts the entire transaction and, in a scenario where a user's or the pool's state becomes invalid due to a bug, could permanently block a user from being able to call this function, creating a Denial of Service.

Comments

o build a more resilient and robust contract, all instances of .unwrap() on arithmetic operations should be replaced with explicit error handling. Instead of panicking, the function should gracefully fail by returning a descriptive custom error. This can be accomplished by replacing .unwrap() with a construct like .ok_or(CustomError::ArithmeticError)?.

Resolved

#2 low Issue
Inefficient Resource Management Leads to Permanent Loss of User Rent Deposits
rage_claim.rs
L15-134
Description

The rage_claim instruction correctly settles a user's token balance, but it fails to close the now-obsolete VestingUserState account. This account was funded with a SOL deposit (rent) by the user to pay for its on-chain storage. By not closing the account, the program prevents this SOL rent from being refunded. This results in a direct, though small, and permanent financial loss for every user who uses the rage claim feature. While this does not impact their primary token balance, it represents an unnecessary loss of funds and inefficient use of blockchain state.

Comments

The contract should be updated to properly manage on-chain resources by closing accounts that are no longer needed. In the RageClaim accounts struct, the vesting_user_state account should be decorated with the close = authority directive. This will instruct the program to automatically close the state account at the end of the transaction and refund the locked SOL rent to the user, ensuring no funds are unnecessarily lost.

informational Issues | 5 findings

Resolved

#1 informational Issue
Non-Idiomatic Use of Integer Type (u8) for Boolean State Variables
states.rs
L14
Description

The smart contract defines boolean-like state variables, specifically is_initialized and is_ended within the PresaleState struct, using the u8 integer type instead of the native bool type. This approach is not idiomatic in Rust and slightly undermines the language's strong type-safety features. A u8 can represent 256 different values, whereas the program logic only intends for two states (true/false, represented by 1/0). This can decrease code clarity and introduces a theoretical risk of the state holding an invalid value, even if not possible under the current implementation.

Comments

To enhance code safety, clarity, and adherence to Rust best practices, it is recommended to refactor these state variables to use the bool type. In the states.rs file, the type definition for is_initialized and is_ended within PresaleState should be changed from u8 to bool. Subsequently, the corresponding logic in initialize.rs should be updated to assign the boolean literals true and false instead of the integers 1 and 0.

Resolved

#2 informational Issue
Missing zero check for acc_reward_per_share
start_tge.rs
L8-50
Description

The start_tge function is responsible for initializing the main staking pool after the presale concludes. It calculates the initial acc_reward_per_share by dividing the reward_token_per_second by the total number of tokens bought during the presale (pool.amount). The code does not account for the scenario where the presale ends with zero participants, making pool.amount equal to zero. When this happens, the checked_div operation is followed by an .unwrap(), which triggers a panic on the division-by-zero error.

Comments

o prevent this Denial of Service, a zero-check must be implemented before the division operation. You should wrap the calculation in a conditional block. If pool.amount is greater than zero, proceed with the division as planned. Otherwise, if pool.amount is zero, the acc_reward_per_share should be safely set to zero.

Resolved

#3 informational Issue
Unnecessary Mutable Account Reference
fund_reward_token.rs
L23
Description

The state account is defined as mut (mutable), but its data is never actually changed within the handle function. It is only read from to verify the owner of the reward_vault.

Comments

The mut keyword can be safely removed from the state account definition. This is a minor gas optimization and makes the code's intent clearer, showing that the state is not being modified.

Resolved

#4 informational Issue
Lack of Event Emission for Off-Chain Tracking
fund_reward_token.rs
L8-18
Description

The function successfully receives funds but does not emit an event to the blockchain logs. This makes it harder for off-chain services, UIs, or analytics platforms to track when and by whom the reward pool is funded.

Comments

It would be best practice to add an event after a successful transfer.

Resolved

#5 informational Issue
Presence of Unused Imports
fund_reward_token.rs
L1
L4
Description

The file fund_reward_token.rs includes several imports that are never used within the scope of the program. Specifically, events::*, Mint, Token2022, and AssociatedToken are brought into scope but are not referenced in the handle function or the FundRewardToken accounts struct. While unused imports do not create a security risk or affect the compiled program's logic, they do add unnecessary clutter to the code.

Comments

To improve code clarity and maintainability, all unused imports should be removed. This ensures that any developer reading the file can immediately see its exact dependencies without confusion.