$8M+ Backed, High Stakes: How QuillAudits Secured Almanak’s AI-Powered DeFi Infrastructure
Our thorough audit identified key vulnerabilities and delivered targeted solutions, strengthening protocol security and ensuring accurate and reliable execution
Before QuillAudits
- Ownership Transfer Security - Contracts used Ownable, allowing instant ownership transfer in a single transaction, exposing the protocol to risks if the owner key is compromised or misused.
- Token Accounting (Fee-on-Transfer Tokens) - Assumed standard ERC-20 behavior, leading to incorrect accounting when handling fee-on-transfer tokens and causing mismatches in rewards and balances .
After QuillAudits
- Ownership Transfer Security - Replaced with Ownable2Step, enforcing a secure two-step ownership transfer requiring acceptance by the new owner
- Token Accounting (Fee-on-Transfer Tokens) - Implemented balance-difference accounting to ensure accurate tracking of actual tokens received and distributed
Get an Audit done today for your Smart Contract
Join 1500+ leaders who secured themselves from losing Billion Dollars
Almanak is a DeFi protocol combining AI-driven automation with secure tokenomics and governance.
It features a Merkle-based airdrop with claim or claim-and-stake options, where staking commitments are pre-defined. A time-decaying slashing model incentivises long-term participation—staked tokens remain slash-free, while unstaked tokens face decreasing penalties.
The protocol uses a vote-escrow (ve) system, allowing users to lock ALMANAK tokens (up to 2 years) for decaying voting power, with weekly fee distribution based on historical snapshots and gas-efficient reward claiming.
From Risk to Resilience: Securing Almanak
Our audit of Almanak uncovered critical vulnerabilities across its Merkle-based airdrop, time-decaying slashing mechanism, and vote-escrow (ve) system, including risks in enforcing staking commitments, inconsistencies in slashing calculations, and inaccuracies in reward distribution due to checkpointing gaps.
To address these issues, we strengthened validation within the airdrop contract, ensuring that pre-encoded staking parameters (percentage and unlock duration) were correctly enforced during claim and claim-and-stake flows. We also refined the slashing logic, ensuring proper application of time-decaying penalties on unstaked portions while maintaining the integrity of slash-free staked allocations.
Additionally, we improved the veToken checkpointing and historical tracking mechanisms, ensuring accurate calculation of voting power and fair weekly fee distribution based on snapshots. Enhancements were also made to authorized lock creation flows, preventing inconsistencies during automated integrations such as airdrops.
These fixes significantly improved the reliability of Almanak’s token distribution, governance, and reward systems, ensuring accurate execution and strengthening overall protocol security.
Almanak's Journey Through Our Audit Process
- Information Gathering
- Collected and reviewed all relevant documentation, including whitepapers, technical specifications, and design documents.
- Obtained a clear understanding of the Almanak platform's functionality and intended user interactions.
- Discussed client concerns and specific areas of focus for the audit.
- Manual Code Review:
- Conducted a line-by-line review of the smart contract code, focusing on:
- Vulnerability identification: Searching for known vulnerabilities like reentrancy, front-running, integer overflows, and access control issues, etc.
- Logic flaws: Identifying inconsistencies or unintended behaviours in the code logic.
- Solidity best practices: Compliance with secure coding standards and adherence to established guidelines.
- Conducted a line-by-line review of the smart contract code, focusing on:
- Functional Testing:
- Developed and executed a comprehensive set of test cases covering various user interactions and edge cases.
- Leveraged tools like Hardhat and Ganache to deploy and test the smart contract locally.
- Automated Testing:
- Employed static analysis tools like QuillShield to identify vulnerabilities through automated code scanning.
- Utilised symbolic execution tools like Mythril to explore various code execution paths and uncover potential attack vectors.
- Integrated unit tests are written by the Almanak team to verify specific contract functions and their behaviour.
- Reporting & Remediation:
- Prepared a detailed report outlining all identified vulnerabilities, categorised by severity and potential impact.
- Provided clear recommendations for fixing each vulnerability, including code snippets and best practices.
- Collaborated with the Almanak Protocol team to prioritise and address the identified issues.
- Conducted additional verification testing after vulnerability fixes were implemented.
QuillAudits' Strategic Approach to Almanak’s Security Audits
Our approach to auditing Almanak’s combined a security-first mindset, comprehensive threat modelling, and rigorous testing methodologies. By leveraging both white-box and black-box testing techniques, we conducted an in-depth assessment of the system. Throughout the process, we maintained transparency and clear communication with the Almanak’s team, ensuring a collaborative and thorough security review.
Comprehensive Audit Discoveries and Remediation Strategies
- Low Severity Issues (1): These findings provide valuable insights and recommendations for improvement.
- Informational Severity Issues (1): These findings provide valuable insights and recommendations for improvement.
Here is a breakdown of the critical vulnerabilities in audit discoveries and remediation strategies:
Audit Findings
1. Use Ownable2Step Instead of Ownable
Description :
The project intends to use Ownable2Step semantics (safe 2-step ownership transfer), but currently inherits from Ownable, not Ownable2Step.
This means the owner can instantly transfer ownership in one transaction, defeating the intended Two-Step security model documented in comments and project requirements.
If the owner key is compromised or misused, privileged control can be reassigned instantly without the beneficiary's acceptance.
Impact: Low
Likelihood: Low
2. Incorrect Accounting When Using Fee-on-Transfer Tokens
Description :
The contracts assume the token being distributed is a standard ERC-20 where the transferred amount equals the amount credited.
With Fee-on-Transfer (FoT) tokens, the contract receives or sends less tokens than expected due to burn/tax mechanics.
This causes:
- Incorrect totalClaimed, totalStaked, and reward accounting
- veToken supply inflated (deposit value > real transferred value)
- Reward distribution mismatch in FeeDistributor
State variables become desynchronized from actual balances, resulting in early depletion or inability to distribute tokens fairly.
Impact: Medium
Likelihood: Low
Remediation Strategies
1. Use Ownable2Step Instead of Ownable
Replace Ownable with Ownable2Step to enforce a safer two-step ownership transfer process.
2. Incorrect Accounting When Using Fee-on-Transfer Tokens
Use balance-diff accounting
Impressed by our findings and recommendations, the Almanak developers promptly addressed all identified vulnerabilities.
Through our collaborative efforts, the Almanak Protocol project is now significantly more secure, ensuring the protection of user funds.
Conclusion
The Almanak smart contracts security audit identified and addressed critical vulnerabilities, protecting user funds and ensuring platform stability. This case study demonstrates the importance of proactive security measures for blockchain-based projects, especially those dealing with financial assets. By conducting audits and addressing identified issues, the Almanak Team has taken a significant step towards securing its platform and safeguarding user trust.
